Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
Resource
win10v2004-20220812-en
General
-
Target
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
-
Size
196KB
-
MD5
9779201319cb781619e34fb60e456d46
-
SHA1
15e643a3d23a62cac36ec4f1e02f1bee573847a1
-
SHA256
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27
-
SHA512
44e6dd958118e3634b97ceba75d01cd1db3098a686e04e58223b619a90a5fe3b2bbd365a190e5a3c18cfb4254e37917c1f8a20ef0c0e9a5aef73c8339bf22e74
-
SSDEEP
3072:JxrJOfxfkksCmh/yG+1vIebEBCiy+7aLyIVJochcCTpiwe9El8906uqMkeheqX8:JDOfxMBQ1EBCC+LroHCTcT906pehz8
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe File created C:\Windows\System32\drivers\etc\hosts.ics cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe -
Executes dropped EXE 3 IoCs
Processes:
a.exeminiads.exeminiads2.exepid process 3844 a.exe 3684 miniads.exe 2524 miniads2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 3 IoCs
Processes:
a.exedescription ioc process File opened for modification C:\Windows\SysWOW64\miniads.exe a.exe File opened for modification C:\Windows\SysWOW64\dllshell.dll a.exe File opened for modification C:\Windows\SysWOW64\miniads2.exe a.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f69928e7-06a1-4d46-a74c-0f94aac1f5e9.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129224009.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.vinacf.cf" cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exemsedge.exemsedge.exeidentity_helper.exepid process 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 3844 a.exe 3844 a.exe 3844 a.exe 3844 a.exe 2712 msedge.exe 2712 msedge.exe 908 msedge.exe 908 msedge.exe 3844 a.exe 3844 a.exe 1592 identity_helper.exe 1592 identity_helper.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 908 msedge.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exedescription pid process Token: 0 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe Token: 0 3844 a.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exemsedge.exepid process 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 908 msedge.exe 908 msedge.exe 908 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exeminiads.exeminiads2.exepid process 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe 3844 a.exe 3684 miniads.exe 3684 miniads.exe 3684 miniads.exe 2524 miniads2.exe 2524 miniads2.exe 2524 miniads2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exemsedge.exea.exedescription pid process target process PID 880 wrote to memory of 908 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe msedge.exe PID 880 wrote to memory of 908 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe msedge.exe PID 908 wrote to memory of 4208 908 msedge.exe msedge.exe PID 908 wrote to memory of 4208 908 msedge.exe msedge.exe PID 880 wrote to memory of 3844 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe a.exe PID 880 wrote to memory of 3844 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe a.exe PID 880 wrote to memory of 3844 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe a.exe PID 3844 wrote to memory of 3684 3844 a.exe miniads.exe PID 3844 wrote to memory of 3684 3844 a.exe miniads.exe PID 3844 wrote to memory of 3684 3844 a.exe miniads.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 4420 908 msedge.exe msedge.exe PID 908 wrote to memory of 2712 908 msedge.exe msedge.exe PID 908 wrote to memory of 2712 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe PID 908 wrote to memory of 2260 908 msedge.exe msedge.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe"C:\Users\Admin\AppData\Local\Temp\cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe"2⤵
- Drops file in Drivers directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vinacf.cf/3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb3e7b46f8,0x7ffb3e7b4708,0x7ffb3e7b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6983a5460,0x7ff6983a5470,0x7ff6983a54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\a.exea.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\miniads.exeC:\Windows\System32\miniads.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\miniads2.exeC:\Windows\System32\miniads2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5ab741d0006b4fc69cfcb4582f410127b
SHA13fd1977c9ec9204755ecd09d5c38bfdee082ae5e
SHA256f03491cd406de9f0962812056d900ad73e123ada305d151edeb8aa680d9def11
SHA5120c9f550d698f34021994928c55d7dbe9e2b266506f8f761d6b79d9bfbc65757733e9056570f5174579aaac29a50fb7ecfd72f5e6089eb4fbd532e82b50a2142d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5305897e084ce33aa16f777e762da52d9
SHA1baf3eba0d9dafc390bfc49daa0986d2e870e8d8e
SHA256ae86621d24f18319420872a3ebae1c691deb32a0189df2e2164b764f5b28b7c9
SHA5122943552836b3e6b32a705e3489be954f00e380a3409a56236fc4a79a0d546cd6b54429e33c7d56042c7455f77c3a6c4bb8ba8fb2fa67ddf41ac8af1b412ecf26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD595008604b82a384c7c8123cec0361d17
SHA17396683a5e0315720efa84ccf5289a84d3c68031
SHA256bd8c8c1646d7f1ee0e8268a9aa9a0cff8ee523e712cd5887bdfb67ea33a42f69
SHA51278ab8120b87d6d720e74d42b837a56350d33dccf3415f9238c61d6312f79a6af017a44b76382a852351bd249c451b470196c860bce7d0f281f7ee1fb45c56eda
-
C:\Users\Admin\AppData\Local\Temp\a.exeFilesize
260KB
MD52fc97a6fa91f7cddb0bf570299c8c6ae
SHA1fa98710ae3811458ff60300ecdffac5b4b6e456e
SHA25696398ae98f590b525a606af9073bf2f695326603f6d4de6ccfe38225a14a5feb
SHA512aa7369ed7010d4b3ea5fe8502fee74037135899260982bc91892fcba655ebb46f93ba09377ea25cb4da776b0b86803c280e7d7712600fd8a4fe215482118dbba
-
C:\Users\Admin\AppData\Local\Temp\a.exeFilesize
260KB
MD52fc97a6fa91f7cddb0bf570299c8c6ae
SHA1fa98710ae3811458ff60300ecdffac5b4b6e456e
SHA25696398ae98f590b525a606af9073bf2f695326603f6d4de6ccfe38225a14a5feb
SHA512aa7369ed7010d4b3ea5fe8502fee74037135899260982bc91892fcba655ebb46f93ba09377ea25cb4da776b0b86803c280e7d7712600fd8a4fe215482118dbba
-
C:\Windows\SysWOW64\miniads.exeFilesize
44KB
MD572fc04bde392e2df729201877f800975
SHA15253615fa06bbd3d6aed6cffbc0905d5bf2dc33a
SHA2566d54c2bf617968210f84d1260300fe83e429fe614610cb5a20fdab3c2098af8b
SHA51276a00667da450c3613003ca3f8a6ff315bbdbcbe6b5c1d5535b951b3a514f0c6753a7d9b5ea7f7f80506190c9c620a1a665d6b6347a7ea07314aba0136749db2
-
C:\Windows\SysWOW64\miniads.exeFilesize
44KB
MD572fc04bde392e2df729201877f800975
SHA15253615fa06bbd3d6aed6cffbc0905d5bf2dc33a
SHA2566d54c2bf617968210f84d1260300fe83e429fe614610cb5a20fdab3c2098af8b
SHA51276a00667da450c3613003ca3f8a6ff315bbdbcbe6b5c1d5535b951b3a514f0c6753a7d9b5ea7f7f80506190c9c620a1a665d6b6347a7ea07314aba0136749db2
-
C:\Windows\SysWOW64\miniads2.exeFilesize
32KB
MD516f5e2ba059a6ed2f5c2237e2a96981f
SHA1e7e0305cacb7ea207b0776ffdb884b7bf5e33b45
SHA256ea89a0f7a4755c9ee328b02ffad08e6c409183b6db698c7381a24ac86b27ee0d
SHA5129932df4bb46e48ba0f12da34b3ec363d30822d0f4d6ef3200feedf0870706b1c5879bafe5a8dd45732f42de637298c4f172701ffc474f2a2bfa5cd411ed027a7
-
C:\Windows\SysWOW64\miniads2.exeFilesize
32KB
MD516f5e2ba059a6ed2f5c2237e2a96981f
SHA1e7e0305cacb7ea207b0776ffdb884b7bf5e33b45
SHA256ea89a0f7a4755c9ee328b02ffad08e6c409183b6db698c7381a24ac86b27ee0d
SHA5129932df4bb46e48ba0f12da34b3ec363d30822d0f4d6ef3200feedf0870706b1c5879bafe5a8dd45732f42de637298c4f172701ffc474f2a2bfa5cd411ed027a7
-
C:\Windows\system32\drivers\etc\hostsFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
\??\pipe\LOCAL\crashpad_908_PCSPHYWAEVIUZQGSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/624-167-0x0000000000000000-mapping.dmp
-
memory/880-186-0x0000000000400000-0x00000000005D0000-memory.dmpFilesize
1.8MB
-
memory/880-137-0x0000000000400000-0x00000000005D0000-memory.dmpFilesize
1.8MB
-
memory/880-138-0x0000000000030000-0x0000000000033000-memory.dmpFilesize
12KB
-
memory/908-139-0x0000000000000000-mapping.dmp
-
memory/1120-163-0x0000000000000000-mapping.dmp
-
memory/1160-178-0x0000000000000000-mapping.dmp
-
memory/1404-190-0x0000000000000000-mapping.dmp
-
memory/1592-179-0x0000000000000000-mapping.dmp
-
memory/1864-159-0x0000000000000000-mapping.dmp
-
memory/2108-169-0x0000000000000000-mapping.dmp
-
memory/2116-191-0x0000000000000000-mapping.dmp
-
memory/2260-157-0x0000000000000000-mapping.dmp
-
memory/2524-172-0x0000000000000000-mapping.dmp
-
memory/2668-188-0x0000000000000000-mapping.dmp
-
memory/2712-154-0x0000000000000000-mapping.dmp
-
memory/3120-193-0x0000000000000000-mapping.dmp
-
memory/3184-177-0x0000000000000000-mapping.dmp
-
memory/3348-181-0x0000000000000000-mapping.dmp
-
memory/3684-146-0x0000000000000000-mapping.dmp
-
memory/3844-141-0x0000000000000000-mapping.dmp
-
memory/4208-140-0x0000000000000000-mapping.dmp
-
memory/4216-165-0x0000000000000000-mapping.dmp
-
memory/4420-153-0x0000000000000000-mapping.dmp
-
memory/4548-161-0x0000000000000000-mapping.dmp
-
memory/4836-171-0x0000000000000000-mapping.dmp