Resubmissions
16-09-2022 06:07
220916-gvaj4saeen 1016-09-2022 06:06
220916-gtp86segh5 116-09-2022 05:24
220916-f36rvaaeal 1015-09-2022 08:38
220915-kj2e8scdh7 10Analysis
-
max time kernel
49s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 06:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Resource
win10v2004-20220901-en
General
-
Target
https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 125 ipinfo.io 124 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\08e93548-9777-4ecf-814e-7bd703ac02cd.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220916060733.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeInstall.exepid process 3972 msedge.exe 3972 msedge.exe 852 msedge.exe 852 msedge.exe 3364 identity_helper.exe 3364 identity_helper.exe 5456 msedge.exe 5456 msedge.exe 5856 Install.exe 5856 Install.exe 5856 Install.exe 5856 Install.exe 5856 Install.exe 5856 Install.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
msedge.exepid process 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Install.exepid process 5856 Install.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemsedge.exedescription pid process target process PID 5012 wrote to memory of 852 5012 cmd.exe msedge.exe PID 5012 wrote to memory of 852 5012 cmd.exe msedge.exe PID 852 wrote to memory of 1400 852 msedge.exe msedge.exe PID 852 wrote to memory of 1400 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 508 852 msedge.exe msedge.exe PID 852 wrote to memory of 3972 852 msedge.exe msedge.exe PID 852 wrote to memory of 3972 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe PID 852 wrote to memory of 1496 852 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c start microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=01⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffca7646f8,0x7fffca764708,0x7fffca7647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff74dca5460,0x7ff74dca5470,0x7ff74dca54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17813294472555746166,7856791318361529141,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\OEm6ZuNCOpX0nXSJCAIAbgOT.exe"C:\Users\Admin\Pictures\Minor Policy\OEm6ZuNCOpX0nXSJCAIAbgOT.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\3juG9QgLKXBW8EEKTA1FEtGA.exe"C:\Users\Admin\Pictures\Minor Policy\3juG9QgLKXBW8EEKTA1FEtGA.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\LPyhnpXeFGhwtcOuDtjBzcIL.exe"C:\Users\Admin\Pictures\Minor Policy\LPyhnpXeFGhwtcOuDtjBzcIL.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\ihZabcVUtgPuEP2NefZkUgCE.exe"C:\Users\Admin\Pictures\Minor Policy\ihZabcVUtgPuEP2NefZkUgCE.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\kzD_Hu_s9cna9UMuV13PD96B.exe"C:\Users\Admin\Pictures\Minor Policy\kzD_Hu_s9cna9UMuV13PD96B.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\eXONzbhHkMyOAgyh9_wrqiaH.exe"C:\Users\Admin\Pictures\Minor Policy\eXONzbhHkMyOAgyh9_wrqiaH.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\zxkaVQoI7wfNKNhy2nOznOCB.exe"C:\Users\Admin\Pictures\Minor Policy\zxkaVQoI7wfNKNhy2nOznOCB.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\ohy2RXPHB3aW2Iy8vjzZxkZC.exe"C:\Users\Admin\Pictures\Minor Policy\ohy2RXPHB3aW2Iy8vjzZxkZC.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\CfciHqX1bx1iUzB2FWVczU8_.exe"C:\Users\Admin\Pictures\Minor Policy\CfciHqX1bx1iUzB2FWVczU8_.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\ovWrUKm4cneyZexPzkCdZp2n.exe"C:\Users\Admin\Pictures\Minor Policy\ovWrUKm4cneyZexPzkCdZp2n.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\8qqVNnXzWDYGoUOrm5KVN8jy.exe"C:\Users\Admin\Pictures\Minor Policy\8qqVNnXzWDYGoUOrm5KVN8jy.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\g6O6zuxFRP5nwtBVZ72VIt9G.exe"C:\Users\Admin\Pictures\Minor Policy\g6O6zuxFRP5nwtBVZ72VIt9G.exe"2⤵
-
C:\Users\Admin\Pictures\Minor Policy\S5igZuNDJnuoGjTW8c6pejzz.exe"C:\Users\Admin\Pictures\Minor Policy\S5igZuNDJnuoGjTW8c6pejzz.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Minor Policy\ohy2RXPHB3aW2Iy8vjzZxkZC.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
C:\Users\Admin\Pictures\Minor Policy\ohy2RXPHB3aW2Iy8vjzZxkZC.exeFilesize
3.8MB
MD5cd6124575280dd513412db5bd233d32a
SHA1a99cd43c0cf24a8379f74d32ca81067d502b0914
SHA256dfafcfd68e719844dd2b7626752cbf7c818e9de768fee5e5888d94e242baeabf
SHA512e5a1f17913ceecc6a58f6b41b606718594bcaff033e717102f1698992dffb988b82daa2e70b8a1ac335d11b7fcdd85d163f7180a8f614b38b8741a936ee46717
-
\??\pipe\LOCAL\crashpad_852_HJVJYKRCORHRLJAXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/508-135-0x0000000000000000-mapping.dmp
-
memory/852-132-0x0000000000000000-mapping.dmp
-
memory/1160-145-0x0000000000000000-mapping.dmp
-
memory/1160-152-0x0000000000000000-mapping.dmp
-
memory/1400-133-0x0000000000000000-mapping.dmp
-
memory/1492-176-0x0000000000000000-mapping.dmp
-
memory/1496-139-0x0000000000000000-mapping.dmp
-
memory/1720-149-0x0000000000000000-mapping.dmp
-
memory/2392-177-0x0000000000000000-mapping.dmp
-
memory/2616-147-0x0000000000000000-mapping.dmp
-
memory/3204-151-0x0000000000000000-mapping.dmp
-
memory/3364-154-0x0000000000000000-mapping.dmp
-
memory/3508-153-0x0000000000000000-mapping.dmp
-
memory/3696-170-0x0000000000000000-mapping.dmp
-
memory/3704-174-0x0000000000000000-mapping.dmp
-
memory/3712-175-0x0000000000000000-mapping.dmp
-
memory/3972-136-0x0000000000000000-mapping.dmp
-
memory/4156-143-0x0000000000000000-mapping.dmp
-
memory/4756-141-0x0000000000000000-mapping.dmp
-
memory/5228-156-0x0000000000000000-mapping.dmp
-
memory/5324-158-0x0000000000000000-mapping.dmp
-
memory/5336-172-0x0000000000000000-mapping.dmp
-
memory/5340-160-0x0000000000000000-mapping.dmp
-
memory/5348-171-0x0000000000000000-mapping.dmp
-
memory/5392-178-0x0000000000000000-mapping.dmp
-
memory/5456-161-0x0000000000000000-mapping.dmp
-
memory/5496-173-0x0000000000000000-mapping.dmp
-
memory/5568-163-0x0000000000000000-mapping.dmp
-
memory/5584-165-0x0000000000000000-mapping.dmp
-
memory/5856-169-0x0000000000EB0000-0x0000000001972000-memory.dmpFilesize
10.8MB
-
memory/5856-166-0x0000000000EB0000-0x0000000001972000-memory.dmpFilesize
10.8MB