Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 18:57
Static task
static1
Behavioral task
behavioral1
Sample
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Resource
win10v2004-20220414-en
General
-
Target
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
-
Size
589KB
-
MD5
e43244db36895d6a28850d3408d80f45
-
SHA1
86ef0edf0a3f2f3edf4192fdd3addedda48945c9
-
SHA256
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3
-
SHA512
d55ae92112dccbc515e4b9790bf7470304ae9fe3c50d200d31ba91ebbf1870f15978cdb622b0b51c126656865e5c947a201cffae337f058c8783a58813286004
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\SwitchDismount.tiff 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe File opened for modification \??\c:\Users\Admin\Pictures\UnlockUse.tiff 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opt321 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\34569ba9-507e-4eb1-ba5f-1ddca64548e9.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220613014032.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1752 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "0" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1492 msedge.exe 1492 msedge.exe 4812 msedge.exe 4812 msedge.exe 296 identity_helper.exe 296 identity_helper.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exevssvc.exedescription pid process Token: SeDebugPrivilege 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeTakeOwnershipPrivilege 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeBackupPrivilege 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeRestorePrivilege 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeBackupPrivilege 4412 vssvc.exe Token: SeRestorePrivilege 4412 vssvc.exe Token: SeAuditPrivilege 4412 vssvc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exemsedge.exedescription pid process target process PID 2272 wrote to memory of 4812 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe msedge.exe PID 2272 wrote to memory of 4812 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe msedge.exe PID 2272 wrote to memory of 3552 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 2272 wrote to memory of 3552 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 2272 wrote to memory of 3552 2272 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 4812 wrote to memory of 4516 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4516 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 116 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 1492 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 1492 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4928 4812 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\asasin.htm2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83f3646f8,0x7ff83f364708,0x7ff83f3647183⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:83⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:3948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 /prefetch:83⤵PID:3868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 /prefetch:83⤵PID:1804
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:2724 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff7de5e5460,0x7ff7de5e5470,0x7ff7de5e54804⤵PID:1384
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:13⤵PID:2880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:13⤵PID:2560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:83⤵PID:3548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:83⤵PID:3584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:83⤵PID:1072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:83⤵PID:3920
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"2⤵PID:3552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All1⤵
- Interacts with shadow copies
PID:1752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\asasin.htmFilesize
8KB
MD5875dc4fa9aa5cd121a04b3b3b312971e
SHA1921b443f02d17f94153eb3dfc9564286efc26db1
SHA2561bd896f97fb789ff852036af869725ed6a83189c3cc09a893f15dfc9f49a2e51
SHA5121d377d3a6362eb097baca48414154699736376a41884d97bcf260785a441f001e03ee5e47d55c6ceb46f2c3e58eaf9c94e8a6401e5b4e9f5edf788c01e240181
-
\??\pipe\LOCAL\crashpad_4812_TFBHSHXGXNOLSIZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-140-0x0000000000000000-mapping.dmp
-
memory/296-156-0x0000000000000000-mapping.dmp
-
memory/1072-166-0x0000000000000000-mapping.dmp
-
memory/1384-155-0x0000000000000000-mapping.dmp
-
memory/1492-141-0x0000000000000000-mapping.dmp
-
memory/1804-153-0x0000000000000000-mapping.dmp
-
memory/1928-167-0x0000000000000000-mapping.dmp
-
memory/2272-137-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/2272-134-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/2272-132-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/2272-131-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/2272-130-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/2560-160-0x0000000000000000-mapping.dmp
-
memory/2724-154-0x0000000000000000-mapping.dmp
-
memory/2880-158-0x0000000000000000-mapping.dmp
-
memory/3092-148-0x0000000000000000-mapping.dmp
-
memory/3548-162-0x0000000000000000-mapping.dmp
-
memory/3552-136-0x0000000000000000-mapping.dmp
-
memory/3584-164-0x0000000000000000-mapping.dmp
-
memory/3868-151-0x0000000000000000-mapping.dmp
-
memory/3920-169-0x0000000000000000-mapping.dmp
-
memory/3948-146-0x0000000000000000-mapping.dmp
-
memory/4516-138-0x0000000000000000-mapping.dmp
-
memory/4812-135-0x0000000000000000-mapping.dmp
-
memory/4928-144-0x0000000000000000-mapping.dmp