b4d1f0c0b99c6abafddcb654aef4b8c93a8704f40af5970d7317751e2af4eaf9

Analysis

max time kernel
385s
max time network
387s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ccp359.jpg
Size

70KB
MD5

34f410ad1ff68298fc0a3ce912e5c78b
SHA1

12c800a2e7a939d49fe4a150a621f55bd8cba24c
SHA256

b4d1f0c0b99c6abafddcb654aef4b8c93a8704f40af5970d7317751e2af4eaf9
SHA512

0aa714524c6b2686556d0fb246ac66d4cfa354f8555eb32b7229cb9ab1bcd41759ecc99cde1fce92e971f2279c9ccb4fc13b0ad9977425038c37e6e010bc5f1b
SSDEEP

1536:nwSz6b/d5ORv1KegYrViOQqhpxyQbsYMufhCzrIR5ZGL3zeZP:nwDnORvU8rPbhpx1YYZczMRb/P

Score

8^/10

microsoft phishing

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

50 4628 powershell.exe
52 4628 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

51 raw.githubusercontent.com
52 raw.githubusercontent.com
Detected potential entity reuse from brand microsoft.
phishing microsoft
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2384 sc.exe
4804 sc.exe
4308 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
50	4628	powershell.exe
52	4628	powershell.exe

flow	ioc
51	raw.githubusercontent.com
52	raw.githubusercontent.com

pid	process
2384	sc.exe
4804	sc.exe
4308	sc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

wwahost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

wwahost.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	wwahost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	wwahost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	wwahost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137"	LogonUI.exe

Modifies registry class 54 IoCs

Processes:

wwahost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceh = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "124"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com\ = "124"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2"	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdoma = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1"	wwahost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceh	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "124"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\MuiCache	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceh	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0"	wwahost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

748 reg.exe
3024 reg.exe
1568 reg.exe
908 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

392 PING.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4628 powershell.exe
4628 powershell.exe
4628 powershell.exe
3980 powershell.exe
3980 powershell.exe
3980 powershell.exe
4448 powershell.exe
4448 powershell.exe
4448 powershell.exe

pid	process
748	reg.exe
3024	reg.exe
1568	reg.exe
908	reg.exe

pid	process
392	PING.EXE

pid	process
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
6764
6900
6672
6928
6972
6984
6992
6728
5308
7020
7072
7112
7096
7076
7164
6080
2212
7136
5496
7156
1552
7044
7080
7108
7128
7160
6024
5464
5656
6880
5612
6960
6948
6924
5544
4520
5508
5560
5724
5644
6168
5896
5920
6188
6620
6616
5384
5532
5540
5888
5908
5952
5916
6020
6044
5880
6056
6048
6100
6088
6136
6116
4964
1296

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: 36	1488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: 36	1488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe
Token: SeRemoteShutdownPrivilege	2240	WMIC.exe
Token: SeUndockPrivilege	2240	WMIC.exe
Token: SeManageVolumePrivilege	2240	WMIC.exe
Token: 33	2240	WMIC.exe
Token: 34	2240	WMIC.exe
Token: 35	2240	WMIC.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

wwahost.exeLogonUI.exe

pid process

4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
4268 wwahost.exe
7088 LogonUI.exe

pid	process
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
4268	wwahost.exe
7088	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4628 wrote to memory of 4876	4628	powershell.exe	cmd.exe
PID 4628 wrote to memory of 4876	4628	powershell.exe	cmd.exe
PID 4876 wrote to memory of 4308	4876	cmd.exe	sc.exe
PID 4876 wrote to memory of 4308	4876	cmd.exe	sc.exe
PID 4876 wrote to memory of 2072	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 2072	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 3912	4876	cmd.exe	findstr.exe
PID 4876 wrote to memory of 3912	4876	cmd.exe	findstr.exe
PID 4876 wrote to memory of 3856	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 3856	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 4936	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 4936	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 1020	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 1020	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 5088	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 5088	4876	cmd.exe	cmd.exe
PID 5088 wrote to memory of 2812	5088	cmd.exe	cmd.exe
PID 5088 wrote to memory of 2812	5088	cmd.exe	cmd.exe
PID 5088 wrote to memory of 1268	5088	cmd.exe	cmd.exe
PID 5088 wrote to memory of 1268	5088	cmd.exe	cmd.exe
PID 4876 wrote to memory of 4560	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 4560	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 2168	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 2168	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 1036	4876	cmd.exe	fltMC.exe
PID 4876 wrote to memory of 1036	4876	cmd.exe	fltMC.exe
PID 4876 wrote to memory of 748	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 748	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 1888	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 1888	4876	cmd.exe	find.exe
PID 4876 wrote to memory of 3024	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 3024	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 4468	4876	cmd.exe	cmd.exe
PID 4876 wrote to memory of 4468	4876	cmd.exe	cmd.exe
PID 4468 wrote to memory of 1568	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 1568	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 2384	4468	cmd.exe	sc.exe
PID 4468 wrote to memory of 2384	4468	cmd.exe	sc.exe
PID 4468 wrote to memory of 4320	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 4320	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 2020	4468	cmd.exe	findstr.exe
PID 4468 wrote to memory of 2020	4468	cmd.exe	findstr.exe
PID 4468 wrote to memory of 4492	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4492	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 3860	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 3860	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 1452	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 1452	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 544	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 544	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 1368	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 1368	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 4636	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4636	4468	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4696	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4696	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2600	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2600	4636	cmd.exe	cmd.exe
PID 4468 wrote to memory of 5076	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 5076	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 740	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 740	4468	cmd.exe	find.exe
PID 4468 wrote to memory of 2616	4468	cmd.exe	fltMC.exe
PID 4468 wrote to memory of 2616	4468	cmd.exe	fltMC.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4ccp359.jpg
1⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault79ffa028hb729h433eha60bh18ef89899834
1⤵
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_29363975.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System32\sc.exe
sc query Null
3⤵
- Launches sc.exe
PID:4308

C:\Windows\System32\find.exe
find /i "RUNNING"
3⤵
PID:2072

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_29363975.cmd"
3⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:3856

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
3⤵
PID:4936

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
4⤵
PID:2812

C:\Windows\System32\cmd.exe
cmd
4⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_29363975.cmd" "
3⤵
PID:4560

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:2168

C:\Windows\System32\fltMC.exe
fltmc
3⤵
PID:1036

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
3⤵
- Modifies registry key
PID:748

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:1888

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
3⤵
- Modifies registry key
PID:3024

C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_29363975.cmd" -qedit"
3⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
4⤵
- Modifies registry key
PID:1568

C:\Windows\System32\sc.exe
sc query Null
4⤵
- Launches sc.exe
PID:2384

C:\Windows\System32\find.exe
find /i "RUNNING"
4⤵
PID:4320

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_29363975.cmd"
4⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:4492

C:\Windows\System32\find.exe
find /i "/"
4⤵
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:1452

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
4⤵
PID:544

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
5⤵
PID:4696

C:\Windows\System32\cmd.exe
cmd
5⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_29363975.cmd" "
4⤵
PID:5076

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:740

C:\Windows\System32\fltMC.exe
fltmc
4⤵
PID:2616

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
4⤵
- Modifies registry key
PID:908

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
4⤵
PID:1408

C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
5⤵
- Runs ping.exe
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
4⤵
PID:4360

C:\Windows\System32\find.exe
find "127.69"
4⤵
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
4⤵
PID:4064

C:\Windows\System32\find.exe
find "127.69.2.6"
4⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:3400

C:\Windows\System32\find.exe
find /i "/S"
4⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:1552

C:\Windows\System32\find.exe
find /i "/"
4⤵
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
4⤵
PID:332

C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
5⤵
PID:1308

C:\Windows\System32\mode.com
mode 76, 30
4⤵
PID:508

C:\Windows\System32\choice.exe
choice /C:123456780 /N
4⤵
PID:4652

C:\Windows\System32\mode.com
mode con cols=100 lines=32
4⤵
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:5028

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\find.exe
find /i "ComputerSystem"
4⤵
PID:1036

C:\Windows\System32\sc.exe
sc query osppsvc
4⤵
- Launches sc.exe
PID:4804

C:\Windows\System32\net.exe
net start sppsvc /y
4⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc /y
5⤵
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\findstr.exe
findstr /i ID
4⤵
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
4⤵
PID:2032

C:\Windows\System32\findstr.exe
findstr /i ID
4⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
4⤵
PID:1116

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
5⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
4⤵
PID:1324

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
5⤵
PID:3304

C:\Windows\System32\findstr.exe
findstr =
5⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
4⤵
PID:2724

C:\Windows\System32\findstr.exe
findstr /i VOLUME_KMSCLIENT
4⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
4⤵
PID:2560

C:\Windows\System32\findstr.exe
findstr /i TIMEBASED_
4⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
4⤵
PID:4092

C:\Windows\System32\findstr.exe
findstr /i VIRTUAL_MACHINE_ACTIVATION
4⤵
PID:3400

C:\Windows\System32\cmd.exe
cmd /c exit /b 3221549142
4⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
4⤵
PID:4032

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
5⤵
PID:3504

C:\Windows\System32\findstr.exe
findstr =
5⤵
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
4⤵
PID:2596

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
5⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
4⤵
PID:5004

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
5⤵
PID:2440

C:\Windows\System32\findstr.exe
findstr =
5⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
4⤵
PID:3500

C:\Windows\System32\findstr.exe
findstr /i VOLUME_KMSCLIENT
4⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
4⤵
PID:2780

C:\Windows\System32\findstr.exe
findstr /i TIMEBASED_
4⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
4⤵
PID:1020

C:\Windows\System32\findstr.exe
findstr /i VIRTUAL_MACHINE_ACTIVATION
4⤵
PID:2464

C:\Windows\System32\cmd.exe
cmd /c exit /b 1074065472
4⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell "$([DateTime]::Now.addMinutes(187990)).ToString('yyyy-MM-dd HH:mm:ss')" 2>nul
4⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$([DateTime]::Now.addMinutes(187990)).ToString('yyyy-MM-dd HH:mm:ss')"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
4⤵
PID:4456

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
5⤵
PID:1848

C:\Windows\System32\findstr.exe
findstr =
5⤵
PID:2612

C:\Windows\System32\mode.com
mode 76, 30
4⤵
PID:2616

C:\Windows\System32\choice.exe
choice /C:123456780 /N
4⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:1408

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
4⤵
PID:3304

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
4⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
5⤵
PID:2724

C:\Windows\System32\cmd.exe
cmd
5⤵
PID:880

C:\Windows\System32\mode.com
mode 76, 25
4⤵
PID:2560

C:\Windows\System32\choice.exe
choice /C:1230 /N
4⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://massgrave.dev/genuine-installation-media.html
4⤵
PID:460

C:\Windows\System32\mode.com
mode 76, 25
4⤵
PID:1244

C:\Windows\System32\choice.exe
choice /C:1230 /N
4⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3604,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=1724 /prefetch:1
1⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3836,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:1
1⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5224,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:1
1⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5324,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
1⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5424,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
1⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5612,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:8
1⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5892,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:1
1⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7535aff0h6af3h43a2haa1ahcfb0d00174e6
1⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5576,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:8
1⤵
PID:1844

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3931855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a1127a05777a6f6c786c6a35dc63830c

SHA1
8ab0c43d07c1f85424b1930c5a8d8450a1308beb

SHA256
895bfb1a8cccd1f8453564f85f83ed786a23d7c3f10e444a8a91c4e680bd2e23

SHA512
0625a4e211c1508ebb60a031d0479348638191315cb31763c9a5d7cc63a380078d6bd1377a012a1d8f801897d46d73372675152da3051691140404be2c481819

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1ZOFZ0HN\account.live[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qd3zl1kg.la1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\MAS_29363975.cmd
Filesize
438KB

MD5
798130b92d514c4a64c766e14c75de34

SHA1
7d5a1baf211885c03a054bc6ee614014eff77fb1

SHA256
f4d3e3708199ea4fc605fc6e30dffad89105f00e597727785f03a8de47902bf2

SHA512
a45c1a17469903739670653c9119197d55b2f4bdcedcd2071450e3c551d112ed9963d2a753dc7e60aa8b744b4d43b240ba6f186849d11e6e7ea0c391521a2cda

Download Submit
memory/4268-404-0x0000021837CE0000-0x0000021837DE0000-memory.dmp

Filesize
1024KB

Download
memory/4268-699-0x0000021837BB0000-0x0000021837CB0000-memory.dmp

Filesize
1024KB

Download
memory/4268-1345-0x0000021845D00000-0x0000021845D20000-memory.dmp

Filesize
128KB

Download
memory/4268-1010-0x0000021838020000-0x0000021838120000-memory.dmp

Filesize
1024KB

Download
memory/4268-875-0x0000021838250000-0x0000021838350000-memory.dmp

Filesize
1024KB

Download
memory/4268-784-0x0000021837670000-0x0000021837770000-memory.dmp

Filesize
1024KB

Download
memory/4268-792-0x0000021826EC0000-0x0000021826FC0000-memory.dmp

Filesize
1024KB

Download
memory/4268-757-0x0000021826780000-0x00000218267A0000-memory.dmp

Filesize
128KB

Download
memory/4268-698-0x0000021837BB0000-0x0000021837CB0000-memory.dmp

Filesize
1024KB

Download
memory/4268-351-0x00000218377F0000-0x00000218378F0000-memory.dmp

Filesize
1024KB

Download
memory/4268-245-0x00000218246B0000-0x00000218246D0000-memory.dmp

Filesize
128KB

Download
memory/4268-340-0x0000021824CB0000-0x0000021824CD0000-memory.dmp

Filesize
128KB

Download
memory/4268-405-0x0000021837BB0000-0x0000021837CB0000-memory.dmp

Filesize
1024KB

Download
memory/4268-519-0x0000021839700000-0x0000021839800000-memory.dmp

Filesize
1024KB

Download
memory/4268-502-0x0000021838A70000-0x0000021838B70000-memory.dmp

Filesize
1024KB

Download
memory/4268-370-0x0000021837A00000-0x0000021837B00000-memory.dmp

Filesize
1024KB

Download
memory/4268-353-0x00000218377F0000-0x00000218378F0000-memory.dmp

Filesize
1024KB

Download
memory/4628-14-0x000001ADEB490000-0x000001ADEB4D4000-memory.dmp

Filesize
272KB

Download
memory/4628-2-0x00007FFC03A53000-0x00007FFC03A55000-memory.dmp

Filesize
8KB

Download
memory/4628-12-0x000001ADEAFD0000-0x000001ADEAFF2000-memory.dmp

Filesize
136KB

Download
memory/4628-51-0x00007FFC03A50000-0x00007FFC04511000-memory.dmp

Filesize
10.8MB

Download
memory/4628-13-0x00007FFC03A50000-0x00007FFC04511000-memory.dmp

Filesize
10.8MB

Download
memory/4628-16-0x000001ADEB560000-0x000001ADEB5D6000-memory.dmp

Filesize
472KB

Download
memory/4628-15-0x00007FFC03A50000-0x00007FFC04511000-memory.dmp

Filesize
10.8MB

Download
memory/4628-23-0x00007FFC03A50000-0x00007FFC04511000-memory.dmp

Filesize
10.8MB

Download
memory/4628-22-0x000001ADEB7B0000-0x000001ADEB972000-memory.dmp

Filesize
1.8MB

Download
memory/4628-19-0x00007FFC03A53000-0x00007FFC03A55000-memory.dmp

Filesize
8KB

Download
memory/4628-18-0x00007FFC03A50000-0x00007FFC04511000-memory.dmp

Filesize
10.8MB

Download