Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 17:42
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
-
Size
164KB
-
MD5
068fc2f4824a2a23e4dce306b897e9ec
-
SHA1
7161a98ea46b3696d79c6a888a9c69584dca411c
-
SHA256
0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7
-
SHA512
54871706422b8b4b495864f30049ef9e6153c0b4904d2cc0a19d4de48a65c1fd5fde23b8791c4d042aa4fc7321d4794e07c677ec5305de6e9e21bafa759fa017
-
SSDEEP
3072:j3fkYW/5gjbnI3OkLFxD5tKdHDunqUpxwCAnuzPLqY:LMR/5gjbnI3OkLFxD5tKdHDunqIxynua
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4576 icacls.exe 3004 takeown.exe 1404 icacls.exe 2992 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1404 icacls.exe 2992 takeown.exe 4576 icacls.exe 3004 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsStartupHelper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe" HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220922194408.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\991731ec-00e1-4e54-83b1-f5ed9c3b5664.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1892 msedge.exe 1892 msedge.exe 4584 msedge.exe 4584 msedge.exe 2000 identity_helper.exe 2000 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exetakeown.exeAUDIODG.EXEtakeown.exedescription pid process Token: SeDebugPrivilege 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe Token: SeDebugPrivilege 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe Token: SeTakeOwnershipPrivilege 3004 takeown.exe Token: 33 3836 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3836 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 2992 takeown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4584 msedge.exe 4584 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.execmd.exemsedge.exedescription pid process target process PID 2364 wrote to memory of 4804 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe cmd.exe PID 2364 wrote to memory of 4804 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe cmd.exe PID 4804 wrote to memory of 3004 4804 cmd.exe takeown.exe PID 4804 wrote to memory of 3004 4804 cmd.exe takeown.exe PID 4804 wrote to memory of 1404 4804 cmd.exe icacls.exe PID 4804 wrote to memory of 1404 4804 cmd.exe icacls.exe PID 2364 wrote to memory of 4584 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe msedge.exe PID 2364 wrote to memory of 4584 2364 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe msedge.exe PID 4584 wrote to memory of 5076 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 5076 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1068 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1892 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1892 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2804 4584 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mynoise.net/NoiseMachines/whiteNoiseGenerator.php?l=001802505255579999992⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd0aec46f8,0x7ffd0aec4708,0x7ffd0aec47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2680 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff685c35460,0x7ff685c35470,0x7ff685c354804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11921383250013960664,10525070101563329732,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:13⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\pipe\LOCAL\crashpad_4584_WHRLIOADBOJLZSBIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/376-149-0x0000000000000000-mapping.dmp
-
memory/524-151-0x0000000000000000-mapping.dmp
-
memory/768-157-0x0000000000000000-mapping.dmp
-
memory/908-161-0x0000000000000000-mapping.dmp
-
memory/1068-143-0x0000000000000000-mapping.dmp
-
memory/1092-165-0x0000000000000000-mapping.dmp
-
memory/1404-137-0x0000000000000000-mapping.dmp
-
memory/1440-166-0x0000000000000000-mapping.dmp
-
memory/1892-144-0x0000000000000000-mapping.dmp
-
memory/2000-167-0x0000000000000000-mapping.dmp
-
memory/2364-140-0x000000001B589000-0x000000001B58F000-memory.dmpFilesize
24KB
-
memory/2364-171-0x0000000031DF0000-0x0000000031DF4000-memory.dmpFilesize
16KB
-
memory/2364-133-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2364-132-0x0000000000910000-0x0000000000940000-memory.dmpFilesize
192KB
-
memory/2364-177-0x0000000031DFC000-0x0000000031E01000-memory.dmpFilesize
20KB
-
memory/2364-134-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/2364-176-0x0000000031DF7000-0x0000000031DFC000-memory.dmpFilesize
20KB
-
memory/2364-170-0x0000000031DF4000-0x0000000031DF7000-memory.dmpFilesize
12KB
-
memory/2364-173-0x0000000031DF7000-0x0000000031DFC000-memory.dmpFilesize
20KB
-
memory/2364-172-0x0000000031DF4000-0x0000000031DF7000-memory.dmpFilesize
12KB
-
memory/2364-164-0x0000000031DF0000-0x0000000031DF4000-memory.dmpFilesize
16KB
-
memory/2364-141-0x000000001B589000-0x000000001B58F000-memory.dmpFilesize
24KB
-
memory/2540-155-0x0000000000000000-mapping.dmp
-
memory/2804-147-0x0000000000000000-mapping.dmp
-
memory/2992-152-0x0000000000000000-mapping.dmp
-
memory/3004-136-0x0000000000000000-mapping.dmp
-
memory/3316-169-0x0000000000000000-mapping.dmp
-
memory/3376-163-0x0000000000000000-mapping.dmp
-
memory/4276-175-0x0000000000000000-mapping.dmp
-
memory/4464-159-0x0000000000000000-mapping.dmp
-
memory/4576-153-0x0000000000000000-mapping.dmp
-
memory/4584-138-0x0000000000000000-mapping.dmp
-
memory/4804-135-0x0000000000000000-mapping.dmp
-
memory/5076-139-0x0000000000000000-mapping.dmp