Analysis
-
max time kernel
188s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10-02-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
Resource
win10v2004-en-20220112
General
-
Target
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
-
Size
2.9MB
-
MD5
d54474edd997f5ae1772d45974bd7005
-
SHA1
1c6dd6518d61df04fe42b4280cbe1c0e62bb352b
-
SHA256
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57
-
SHA512
e9f187eebdbef0c0b38d01c163c827ed6e6e5fcbe355ac50cded01521425a558f3d090c8b6d1039c760c623ca20432fe830d647428188428761e4b3a75d067f9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.075265" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132891120901901271" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe -
Modifies registry class 21 IoCs
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\ = "URL:de.web.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\ = "URL:net.gmx.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\ = "URL:com.mail.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 2136 msedge.exe 2136 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exepid process 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exepid process 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exemsedge.exedescription pid process target process PID 3284 wrote to memory of 408 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe msedge.exe PID 3284 wrote to memory of 408 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe msedge.exe PID 408 wrote to memory of 452 408 msedge.exe msedge.exe PID 408 wrote to memory of 452 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 540 408 msedge.exe msedge.exe PID 408 wrote to memory of 2136 408 msedge.exe msedge.exe PID 408 wrote to memory of 2136 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe PID 408 wrote to memory of 636 408 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe" /SU1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --new-window "http://go.1und1.de/os/win/edge_runonce"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bd2046f8,0x7ff9bd204708,0x7ff9bd2047183⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵PID:540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2740 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:83⤵PID:636
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e