Analysis
-
max time kernel
159s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-02-2022 21:16
Static task
static1
Behavioral task
behavioral1
Sample
0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe
Resource
win10v2004-en-20220113
General
-
Target
0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe
-
Size
584KB
-
MD5
d519245c5be1e9f491eb1e1ebfc88bef
-
SHA1
7511d6366977ffda8b2d033667d12a563d26054b
-
SHA256
0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe
-
SHA512
7d33a3f58d2d3f7c87fb7b3a1661550059cefa4c6a81c88f523e6f6241cb33cd2eae1d8758ad7a20776ec2fec0f64c3d0b29731c93c0e85e64b6a80de4d0c518
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b2e7d921-858f-4027-afa6-3d2322732fc1.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129010301.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1488 msedge.exe 1488 msedge.exe 5080 msedge.exe 5080 msedge.exe 4476 msedge.exe 4476 msedge.exe 4716 identity_helper.exe 4716 identity_helper.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 4724 svchost.exe Token: SeTcbPrivilege 4724 svchost.exe Token: SeTcbPrivilege 4724 svchost.exe Token: SeTcbPrivilege 4724 svchost.exe Token: SeTcbPrivilege 4724 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exemsedge.exemsedge.exedescription pid process target process PID 4748 wrote to memory of 4476 4748 0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe msedge.exe PID 4748 wrote to memory of 4476 4748 0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe msedge.exe PID 4476 wrote to memory of 3064 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 3064 4476 msedge.exe msedge.exe PID 4748 wrote to memory of 3208 4748 0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe msedge.exe PID 4748 wrote to memory of 3208 4748 0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe msedge.exe PID 3208 wrote to memory of 4372 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 4372 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1028 4476 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe PID 3208 wrote to memory of 432 3208 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe"C:\Users\Admin\AppData\Local\Temp\0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9557046f8,0x7ff955704708,0x7ff9557047183⤵PID:3064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵PID:1028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:83⤵PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:13⤵PID:3932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:13⤵PID:1600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:13⤵PID:1540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:13⤵PID:460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:13⤵PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:13⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:13⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:83⤵PID:1304
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:2276 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff627bb5460,0x7ff627bb5470,0x7ff627bb54804⤵PID:4140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:83⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:83⤵PID:2740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:83⤵PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7196 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9557046f8,0x7ff955704708,0x7ff9557047183⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6907770380460226043,2125626931611782090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6907770380460226043,2125626931611782090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
MD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
MD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
MD5
9c87a01920853c68babb35cca8b4c83f
SHA1705c6f833b6033f9ecff6011f49bf4a119185455
SHA256adee1283ee7b0e2cff305d8ba551a7e0ea3838d93d2e7a980061199300ceef7e
SHA512882501747528e36cb0298fd711d7dc9804367830e72b720e142b070baaa44b841fc3e9e8987574986a2075cd3b6988337a8aa75c795cb404eac56d3c0f57a8bc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e