Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
94c505176de54f8014133b05bb1c876b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
94c505176de54f8014133b05bb1c876b.exe
Resource
win10v2004-20220901-en
General
-
Target
94c505176de54f8014133b05bb1c876b.exe
-
Size
1.4MB
-
MD5
94c505176de54f8014133b05bb1c876b
-
SHA1
ecb70019c807f95741855b7fecfb8d38fd8f2c19
-
SHA256
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
-
SHA512
6c347bdd33f6ee66f284bb6042384c85c52407ad3fb59051bb5510a41e207113ec70a6107d2a4bed5bb1c7b2b47dd258923daf2173f0fcf5f7cf1cb329e11e1b
-
SSDEEP
24576:JL4LJZWICKQiBCKe7XChkKSyDQe7XLciXyBdCbO4Eh5oJJw4:6LJIIB3yehRDbXvX9bO4Eh5oT
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sdfge.exesdfge.exepid process 4968 sdfge.exe 2404 sdfge.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
94c505176de54f8014133b05bb1c876b.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 94c505176de54f8014133b05bb1c876b.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
sdfge.exemsedge.exe94c505176de54f8014133b05bb1c876b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ sdfge.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" sdfge.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 94c505176de54f8014133b05bb1c876b.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" 94c505176de54f8014133b05bb1c876b.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
94c505176de54f8014133b05bb1c876b.exesdfge.exesdfge.exedescription pid process target process PID 3628 set thread context of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 4968 set thread context of 2404 4968 sdfge.exe sdfge.exe PID 2404 set thread context of 2260 2404 sdfge.exe svchost.exe PID 2404 set thread context of 1820 2404 sdfge.exe svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2bd32f98-3d8d-4952-9e5a-edce4232b97e.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220906155327.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
94c505176de54f8014133b05bb1c876b.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 94c505176de54f8014133b05bb1c876b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
94c505176de54f8014133b05bb1c876b.exesdfge.exemsedge.exemsedge.exeidentity_helper.exepid process 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 3628 94c505176de54f8014133b05bb1c876b.exe 4968 sdfge.exe 4968 sdfge.exe 4968 sdfge.exe 4968 sdfge.exe 4968 sdfge.exe 4968 sdfge.exe 4968 sdfge.exe 1956 msedge.exe 1956 msedge.exe 3260 msedge.exe 3260 msedge.exe 2484 identity_helper.exe 2484 identity_helper.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sdfge.exepid process 2404 sdfge.exe 2404 sdfge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
94c505176de54f8014133b05bb1c876b.exesdfge.exedescription pid process Token: SeDebugPrivilege 3628 94c505176de54f8014133b05bb1c876b.exe Token: SeDebugPrivilege 4968 sdfge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sdfge.exepid process 2404 sdfge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94c505176de54f8014133b05bb1c876b.exe94c505176de54f8014133b05bb1c876b.exeWScript.execmd.exesdfge.exesdfge.exesvchost.exemsedge.exedescription pid process target process PID 3628 wrote to memory of 4680 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4680 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4680 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 3380 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 3380 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 3380 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 3628 wrote to memory of 4528 3628 94c505176de54f8014133b05bb1c876b.exe 94c505176de54f8014133b05bb1c876b.exe PID 4528 wrote to memory of 3708 4528 94c505176de54f8014133b05bb1c876b.exe WScript.exe PID 4528 wrote to memory of 3708 4528 94c505176de54f8014133b05bb1c876b.exe WScript.exe PID 4528 wrote to memory of 3708 4528 94c505176de54f8014133b05bb1c876b.exe WScript.exe PID 3708 wrote to memory of 1772 3708 WScript.exe cmd.exe PID 3708 wrote to memory of 1772 3708 WScript.exe cmd.exe PID 3708 wrote to memory of 1772 3708 WScript.exe cmd.exe PID 1772 wrote to memory of 4968 1772 cmd.exe sdfge.exe PID 1772 wrote to memory of 4968 1772 cmd.exe sdfge.exe PID 1772 wrote to memory of 4968 1772 cmd.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 4968 wrote to memory of 2404 4968 sdfge.exe sdfge.exe PID 2404 wrote to memory of 2260 2404 sdfge.exe svchost.exe PID 2404 wrote to memory of 2260 2404 sdfge.exe svchost.exe PID 2404 wrote to memory of 2260 2404 sdfge.exe svchost.exe PID 2404 wrote to memory of 2260 2404 sdfge.exe svchost.exe PID 2260 wrote to memory of 3260 2260 svchost.exe msedge.exe PID 2260 wrote to memory of 3260 2260 svchost.exe msedge.exe PID 3260 wrote to memory of 1436 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 1436 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe PID 3260 wrote to memory of 2500 3260 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"C:\Users\Admin\AppData\Local\Temp\94c505176de54f8014133b05bb1c876b.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sdfge.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdfge.exeC:\Users\Admin\AppData\Roaming\sdfge.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdfge.exe"C:\Users\Admin\AppData\Roaming\sdfge.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9951146f8,0x7ff995114708,0x7ff9951147189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3120 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings9⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff718555460,0x7ff718555470,0x7ff71855548010⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8305106144698706276,14976218694477706475,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9951146f8,0x7ff995114708,0x7ff9951147189⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff9951146f8,0x7ff995114708,0x7ff9951147189⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD566bc9611dd085dd5e1366c94b84456cd
SHA1613339f5891bf2c9e54ef565c54eb18be42d65fb
SHA25627b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22
SHA512196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD566bc9611dd085dd5e1366c94b84456cd
SHA1613339f5891bf2c9e54ef565c54eb18be42d65fb
SHA25627b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22
SHA512196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
402B
MD598acdc6ea897431e57cab98ee8203874
SHA11858e36b790f415f850063b1aa291846a1b4b4b1
SHA256e55d508c8f0fbfbb78d556fbd969e1611b95872b8f73f046e7c71c5c2804a50a
SHA512ac41f7acb3be653f398066d353120935cc3764fdddb9346fddc6012f1d0e61a3a09a7a434806cab3654c37a1301d637081d921a634b1919b72d4e07e66b38aa7
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
1.4MB
MD594c505176de54f8014133b05bb1c876b
SHA1ecb70019c807f95741855b7fecfb8d38fd8f2c19
SHA25691bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
SHA5126c347bdd33f6ee66f284bb6042384c85c52407ad3fb59051bb5510a41e207113ec70a6107d2a4bed5bb1c7b2b47dd258923daf2173f0fcf5f7cf1cb329e11e1b
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
1.4MB
MD594c505176de54f8014133b05bb1c876b
SHA1ecb70019c807f95741855b7fecfb8d38fd8f2c19
SHA25691bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
SHA5126c347bdd33f6ee66f284bb6042384c85c52407ad3fb59051bb5510a41e207113ec70a6107d2a4bed5bb1c7b2b47dd258923daf2173f0fcf5f7cf1cb329e11e1b
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
1.4MB
MD594c505176de54f8014133b05bb1c876b
SHA1ecb70019c807f95741855b7fecfb8d38fd8f2c19
SHA25691bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
SHA5126c347bdd33f6ee66f284bb6042384c85c52407ad3fb59051bb5510a41e207113ec70a6107d2a4bed5bb1c7b2b47dd258923daf2173f0fcf5f7cf1cb329e11e1b
-
\??\pipe\LOCAL\crashpad_3260_NLYUJDNQMIXNIPBBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/204-197-0x0000000000000000-mapping.dmp
-
memory/1240-172-0x0000000000000000-mapping.dmp
-
memory/1240-194-0x0000000000000000-mapping.dmp
-
memory/1436-160-0x0000000000000000-mapping.dmp
-
memory/1772-148-0x0000000000000000-mapping.dmp
-
memory/1820-185-0x0000000000000000-mapping.dmp
-
memory/1956-163-0x0000000000000000-mapping.dmp
-
memory/2260-157-0x0000000000000000-mapping.dmp
-
memory/2320-190-0x0000000000000000-mapping.dmp
-
memory/2404-158-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2404-156-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2404-152-0x0000000000000000-mapping.dmp
-
memory/2404-173-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2404-155-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2484-188-0x0000000000000000-mapping.dmp
-
memory/2500-162-0x0000000000000000-mapping.dmp
-
memory/2716-187-0x0000000000000000-mapping.dmp
-
memory/2836-166-0x0000000000000000-mapping.dmp
-
memory/3008-183-0x0000000000000000-mapping.dmp
-
memory/3208-170-0x0000000000000000-mapping.dmp
-
memory/3232-182-0x0000000000000000-mapping.dmp
-
memory/3260-159-0x0000000000000000-mapping.dmp
-
memory/3380-139-0x0000000000000000-mapping.dmp
-
memory/3464-192-0x0000000000000000-mapping.dmp
-
memory/3488-179-0x0000000000000000-mapping.dmp
-
memory/3556-199-0x0000000000000000-mapping.dmp
-
memory/3628-133-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/3628-134-0x0000000005300000-0x0000000005392000-memory.dmpFilesize
584KB
-
memory/3628-132-0x00000000007E0000-0x0000000000942000-memory.dmpFilesize
1.4MB
-
memory/3628-135-0x00000000052F0000-0x00000000052FA000-memory.dmpFilesize
40KB
-
memory/3628-136-0x00000000098D0000-0x000000000996C000-memory.dmpFilesize
624KB
-
memory/3628-137-0x0000000009C00000-0x0000000009C66000-memory.dmpFilesize
408KB
-
memory/3708-145-0x0000000000000000-mapping.dmp
-
memory/3928-168-0x0000000000000000-mapping.dmp
-
memory/3932-175-0x0000000000000000-mapping.dmp
-
memory/4288-186-0x0000000000000000-mapping.dmp
-
memory/4488-181-0x0000000000000000-mapping.dmp
-
memory/4528-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4528-140-0x0000000000000000-mapping.dmp
-
memory/4528-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4528-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4528-144-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4528-146-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4680-138-0x0000000000000000-mapping.dmp
-
memory/4776-177-0x0000000000000000-mapping.dmp
-
memory/4956-193-0x0000000000000000-mapping.dmp
-
memory/4968-149-0x0000000000000000-mapping.dmp