0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7

General

Target

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Size

164KB
MD5

068fc2f4824a2a23e4dce306b897e9ec
SHA1

7161a98ea46b3696d79c6a888a9c69584dca411c
SHA256

0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7
SHA512

54871706422b8b4b495864f30049ef9e6153c0b4904d2cc0a19d4de48a65c1fd5fde23b8791c4d042aa4fc7321d4794e07c677ec5305de6e9e21bafa759fa017
SSDEEP

3072:j3fkYW/5gjbnI3OkLFxD5tKdHDunqUpxwCAnuzPLqY:LMR/5gjbnI3OkLFxD5tKdHDunqIxynua

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4576 icacls.exe
3004 takeown.exe
1404 icacls.exe
2992 takeown.exe

pid	process
4576	icacls.exe
3004	takeown.exe
1404	icacls.exe
2992	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1404 icacls.exe
2992 takeown.exe
4576 icacls.exe
3004 takeown.exe

pid	process
1404	icacls.exe
2992	takeown.exe
4576	icacls.exe
3004	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsStartupHelper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220922194408.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\991731ec-00e1-4e54-83b1-f5ed9c3b5664.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

1892 msedge.exe
1892 msedge.exe
4584 msedge.exe
4584 msedge.exe
2000 identity_helper.exe
2000 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
1892	msedge.exe
1892	msedge.exe
4584	msedge.exe
4584	msedge.exe
2000	identity_helper.exe
2000	identity_helper.exe

pid	process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exetakeown.exeAUDIODG.EXEtakeown.exe

description	pid	process
Token: SeDebugPrivilege	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Token: SeDebugPrivilege	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Token: SeTakeOwnershipPrivilege	3004	takeown.exe
Token: 33	3836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3836	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	2992	takeown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4584 msedge.exe
4584 msedge.exe

pid	process
4584	msedge.exe
4584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.execmd.exemsedge.exe

description	pid	process	target process
PID 2364 wrote to memory of 4804	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2364 wrote to memory of 4804	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 4804 wrote to memory of 3004	4804	cmd.exe	takeown.exe
PID 4804 wrote to memory of 3004	4804	cmd.exe	takeown.exe
PID 4804 wrote to memory of 1404	4804	cmd.exe	icacls.exe
PID 4804 wrote to memory of 1404	4804	cmd.exe	icacls.exe
PID 2364 wrote to memory of 4584	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	msedge.exe
PID 2364 wrote to memory of 4584	2364	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	msedge.exe
PID 4584 wrote to memory of 5076	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 5076	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1068	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1892	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1892	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2804	4584	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1404

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mynoise.net/NoiseMachines/whiteNoiseGenerator.php?l=00180250525557999999
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd0aec46f8,0x7ffd0aec4708,0x7ffd0aec4718
3⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2680 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
3⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
3⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
3⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
3⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
3⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
3⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
3⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
3⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
3⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff685c35460,0x7ff685c35470,0x7ff685c35480
4⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
3⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
3⤵
PID:4276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\LOCAL\crashpad_4584_WHRLIOADBOJLZSBI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-149-0x0000000000000000-mapping.dmp

Download
memory/524-151-0x0000000000000000-mapping.dmp

Download
memory/768-157-0x0000000000000000-mapping.dmp

Download
memory/908-161-0x0000000000000000-mapping.dmp

Download
memory/1068-143-0x0000000000000000-mapping.dmp

Download
memory/1092-165-0x0000000000000000-mapping.dmp

Download
memory/1404-137-0x0000000000000000-mapping.dmp

Download
memory/1440-166-0x0000000000000000-mapping.dmp

Download
memory/1892-144-0x0000000000000000-mapping.dmp

Download
memory/2000-167-0x0000000000000000-mapping.dmp

Download
memory/2364-140-0x000000001B589000-0x000000001B58F000-memory.dmp

Filesize
24KB

Download
memory/2364-171-0x0000000031DF0000-0x0000000031DF4000-memory.dmp

Filesize
16KB

Download
memory/2364-133-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-132-0x0000000000910000-0x0000000000940000-memory.dmp

Filesize
192KB

Download
memory/2364-177-0x0000000031DFC000-0x0000000031E01000-memory.dmp

Filesize
20KB

Download
memory/2364-134-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-176-0x0000000031DF7000-0x0000000031DFC000-memory.dmp

Filesize
20KB

Download
memory/2364-170-0x0000000031DF4000-0x0000000031DF7000-memory.dmp

Filesize
12KB

Download
memory/2364-173-0x0000000031DF7000-0x0000000031DFC000-memory.dmp

Filesize
20KB

Download
memory/2364-172-0x0000000031DF4000-0x0000000031DF7000-memory.dmp

Filesize
12KB

Download
memory/2364-164-0x0000000031DF0000-0x0000000031DF4000-memory.dmp

Filesize
16KB

Download
memory/2364-141-0x000000001B589000-0x000000001B58F000-memory.dmp

Filesize
24KB

Download
memory/2540-155-0x0000000000000000-mapping.dmp

Download
memory/2804-147-0x0000000000000000-mapping.dmp

Download
memory/2992-152-0x0000000000000000-mapping.dmp

Download
memory/3004-136-0x0000000000000000-mapping.dmp

Download
memory/3316-169-0x0000000000000000-mapping.dmp

Download
memory/3376-163-0x0000000000000000-mapping.dmp

Download
memory/4276-175-0x0000000000000000-mapping.dmp

Download
memory/4464-159-0x0000000000000000-mapping.dmp

Download
memory/4576-153-0x0000000000000000-mapping.dmp

Download
memory/4584-138-0x0000000000000000-mapping.dmp

Download
memory/4804-135-0x0000000000000000-mapping.dmp

Download
memory/5076-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads