Analysis
-
max time kernel
306s -
max time network
314s -
platform
windows11_x64 -
resource
win11 -
submitted
12-08-2021 21:11
Static task
static1
URLScan task
urlscan1
Sample
https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/
Behavioral task
behavioral1
Sample
https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/
Resource
win11
General
-
Target
https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/
-
Sample
210812-vb6w76c19x
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\D: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.override svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MoUsoCoreWorker.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MoUsoCoreWorker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3538011190" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30904290" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "5140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3968 msedge.exe 3968 msedge.exe 5100 msedge.exe 5100 msedge.exe 5500 identity_helper.exe 5500 identity_helper.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
svchost.exesvchost.exeMoUsoCoreWorker.exedescription pid process Token: SeSystemEnvironmentPrivilege 4668 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeTcbPrivilege 5464 svchost.exe Token: SeShutdownPrivilege 508 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 508 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 508 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 508 MoUsoCoreWorker.exe Token: SeShutdownPrivilege 508 MoUsoCoreWorker.exe Token: SeCreatePagefilePrivilege 508 MoUsoCoreWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msedge.exepid process 5100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exesvchost.exemsedge.exedescription pid process target process PID 3112 wrote to memory of 5100 3112 iexplore.exe msedge.exe PID 3112 wrote to memory of 5100 3112 iexplore.exe msedge.exe PID 4884 wrote to memory of 4736 4884 svchost.exe pcaui.exe PID 4884 wrote to memory of 4736 4884 svchost.exe pcaui.exe PID 5100 wrote to memory of 452 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 452 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3896 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3968 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3968 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 3448 5100 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\wlrmdr.exe-c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/"2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0fde46f8,0x7ffa0fde4708,0x7ffa0fde47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3524 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:83⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_1033533384\1d147c3b-6a51-425f-a960-c0159921df27MD5
22351f8e29208582a8c4a3be256433d7
SHA1f05a56b94cfaf46b1c74f815cc9b9d80784ffb7e
SHA2569ab1dc1c2c03aa5b274e583dc42891bc07dcceea577ac348940e112b48fa6006
SHA512e13bf84d66b5f067508f5a8fb92cbea9bde8ffa3cca9a72ef1baf30d4675807de90fb2b461ea8f5ede9e13003c9fa5f3f56213aa09e4d8a2294f1f08c110a731
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_1733780998\73488d35-4a20-45e5-a813-40b10aec38a5MD5
30de66cb327e7099a99792617f0d2ee2
SHA1477a8b9bebd09a70483f605e5e946a41c7cc11c1
SHA2562b9686f8469e6fa45d1b911dbce40dd84a569f702c6d52586503ef8aa3cbc8d1
SHA512d408e1d6b045aecfd40738b8344a9393a2a4a0e14e83c74710605a4c319a8c7655130885adf92656f7c81c9cd82388db5d39caf1b5eb3d4c3c6926b5516d0e27
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_186035517\320fa221-fff7-48f5-b84b-2dd6068ee237MD5
3c6861d6e575eebddfbc882af631e81e
SHA1801ed776129028dfc70256707252682d07ab7cb1
SHA256ac709ac32c42d190b315519bfdf8b1b7cfdd136bf13ec17f66b9a119d62e6604
SHA512f4c74ee2a793b437d1a263ff1dac06bfb13b7bb3b1ccdf5768f3518c1fdcb39dc45df15ba9d14cb512d1cebd991648497ecb9c1041ebc428aec62c88f6773a58
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_616103542\b22f5f18-f7ea-4290-929d-b13c03908334MD5
a36d70bcd9333175811c53122f7d2c1d
SHA19a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c
SHA25626123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00
SHA512e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_70418047\0a5f110e-e0a3-4b12-a860-a8e62e3be71fMD5
43456ea826951e20c9d0694a01f1886b
SHA19c848aa393d9ea2fd63873381e3af72b7a2e03f4
SHA25668715ca8cdd03437049d6d9d2ceb47584b886a7807bc9b2b483e3faa174694df
SHA5121c102ac415d393754e3ab07b5ffe6ebc60ad4888072bf194d85c57da07eef58fa7ba21ee2a6a45a287540325da1a72c9de362526fc62f122c340021d80ea0d74
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_952835577\1d71b726-bb6c-499c-bc59-57a82a35d8d6MD5
1b091fbe5d7937e50c27fc48d9a7b50e
SHA16477774d4abff26ab4944b4c627c92907817c9c9
SHA256b45fc5f3479dc7b07e8e5822a11785819b7f1c249c9b47dcffcb28edbbc2d706
SHA5122ee60c4408ebcec951570cdf0d6d49fd287febde607ef94128519fa2424823010e9fca080175f6f0e7e197232721def033ee82f9b4d9be9cdab6fb7e27526399
-
\??\pipe\LOCAL\crashpad_5100_LIVEPMFKSGVHSUMGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/452-151-0x0000000000000000-mapping.dmp
-
memory/660-172-0x0000000000000000-mapping.dmp
-
memory/1068-245-0x0000000000000000-mapping.dmp
-
memory/1236-229-0x0000000000000000-mapping.dmp
-
memory/1564-239-0x0000000000000000-mapping.dmp
-
memory/2184-249-0x0000000000000000-mapping.dmp
-
memory/2420-213-0x0000000000000000-mapping.dmp
-
memory/2540-225-0x0000000000000000-mapping.dmp
-
memory/3112-146-0x00007FFA12800000-0x00007FFA12865000-memory.dmpFilesize
404KB
-
memory/3208-219-0x0000000000000000-mapping.dmp
-
memory/3388-175-0x0000000000000000-mapping.dmp
-
memory/3448-167-0x0000000000000000-mapping.dmp
-
memory/3896-159-0x00007FFA32310000-0x00007FFA32311000-memory.dmpFilesize
4KB
-
memory/3896-155-0x0000000000000000-mapping.dmp
-
memory/3968-156-0x0000000000000000-mapping.dmp
-
memory/4736-147-0x0000000000000000-mapping.dmp
-
memory/5100-148-0x0000000000000000-mapping.dmp
-
memory/5228-186-0x0000000000000000-mapping.dmp
-
memory/5244-189-0x0000000000000000-mapping.dmp
-
memory/5500-199-0x0000000000000000-mapping.dmp
-
memory/5768-236-0x0000020BB64F0000-0x0000020BB64F4000-memory.dmpFilesize
16KB
-
memory/5768-235-0x0000020BB64F0000-0x0000020BB64F4000-memory.dmpFilesize
16KB
-
memory/5768-204-0x0000020BB6130000-0x0000020BB6134000-memory.dmpFilesize
16KB
-
memory/5768-203-0x0000020BB3B30000-0x0000020BB3B40000-memory.dmpFilesize
64KB
-
memory/5768-202-0x0000020BB3AB0000-0x0000020BB3AC0000-memory.dmpFilesize
64KB
-
memory/5768-250-0x0000020BB6450000-0x0000020BB6454000-memory.dmpFilesize
16KB
-
memory/5768-251-0x0000020BB6430000-0x0000020BB6431000-memory.dmpFilesize
4KB
-
memory/5768-252-0x0000020BB6160000-0x0000020BB6164000-memory.dmpFilesize
16KB
-
memory/5768-253-0x0000020BB6150000-0x0000020BB6151000-memory.dmpFilesize
4KB
-
memory/5768-254-0x0000020BB6150000-0x0000020BB6154000-memory.dmpFilesize
16KB
-
memory/5768-255-0x0000020BB6030000-0x0000020BB6031000-memory.dmpFilesize
4KB
-
memory/6044-207-0x0000000000000000-mapping.dmp