Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 10:46
Static task
static1
Behavioral task
behavioral1
Sample
1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe
Resource
win10v2004-20220812-en
General
-
Target
1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe
-
Size
60KB
-
MD5
0356427de68422073f59a3d288efc330
-
SHA1
1eec2e7ebc3b9f578718ec56c1dd37f60f3ad6a1
-
SHA256
1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d
-
SHA512
05b059d2ef45fbad06e556037185f073515aacae06bcf3bae748dd777786913c840b860aaca49ed3485666638ecf122d879fd6be013b39636c0850c946104073
-
SSDEEP
768:iVutBMNT83V/nOPEgXK4/soWDjTwOWOCmjR0DMlDBviXCn17IF3cqqbCW2w9XF7D:U6uapN21/skOW7mVfDqy7ICosXRMYX
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6F30EF76-EA16-4BD6-B222-7E1239583769}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B24CB3C9-A96F-46FB-AF2D-89C1434F5FD8}.catalogItem svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\397abcdf-b8d7-4e90-b508-15984ed59168.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130180200.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
svchost.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3196 msedge.exe 3196 msedge.exe 2488 msedge.exe 2488 msedge.exe 4684 msedge.exe 4684 msedge.exe 1160 identity_helper.exe 1160 identity_helper.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe 1064 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4684 msedge.exe 4684 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exemsedge.exemsedge.exedescription pid process target process PID 1152 wrote to memory of 4544 1152 1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe msedge.exe PID 1152 wrote to memory of 4544 1152 1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe msedge.exe PID 4544 wrote to memory of 3560 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 3560 4544 msedge.exe msedge.exe PID 1152 wrote to memory of 4684 1152 1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe msedge.exe PID 1152 wrote to memory of 4684 1152 1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe msedge.exe PID 4684 wrote to memory of 3452 4684 msedge.exe msedge.exe PID 4684 wrote to memory of 3452 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe PID 4684 wrote to memory of 2164 4684 msedge.exe msedge.exe PID 4544 wrote to memory of 2072 4544 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe"C:\Users\Admin\AppData\Local\Temp\1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7cb446f8,0x7ffd7cb44708,0x7ffd7cb447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5501479989971341109,15620926432995575742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5501479989971341109,15620926432995575742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2772 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7cb446f8,0x7ffd7cb44708,0x7ffd7cb447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7b8235460,0x7ff7b8235470,0x7ff7b82354804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1964 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6784 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:83⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
471B
MD5df0623444ea388107880401724fc0861
SHA182697f864f2da4c0d6e218b206901d8acfcd388e
SHA256850aaa3c1d52a8daa3f56567be074f6fdf7358dd01c33268005747e78a19c667
SHA512f214c68856d4dec4a3748d92c81b3dcba3be9a1a5335200cf1b9f35a51a60d6c022a7e18ada0f3e353f686bc645d28dcfe1508cdcd4bd3862fbdb5df8c84695f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5302ccc431609cad913893a5762258293
SHA1c88d15ce7198f7296e281fd342d621618a1eddb9
SHA2563963c5a71bd7299478ffdb264b1e8d812aa9598d8d74413ab29268a0545fccb5
SHA512520870fd7d55484064ec7950fd74646140a240cec3261691807dbb857f2a6285d587ebfa34a70d122f9cb9b5d59ca0441e965648eb592333d90fa29ef7f42b18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
442B
MD512d07c56b529e1dcb9df40587b7adf94
SHA1e2baab32804da14c582570134482b697d7d150e4
SHA256c0fe94bde8831dfdc2e74fd2958cd2a0e3f33d36a8c65def3379078a89582409
SHA512c9b3b83d4a405a5ee28b0aa406dd8f8421f88b56dbe6fef71a3d3bab98ec709d99550a13d4ced6d5661db344300e4290f49cc3780f04c2870fba6387ace71654
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
442B
MD512d07c56b529e1dcb9df40587b7adf94
SHA1e2baab32804da14c582570134482b697d7d150e4
SHA256c0fe94bde8831dfdc2e74fd2958cd2a0e3f33d36a8c65def3379078a89582409
SHA512c9b3b83d4a405a5ee28b0aa406dd8f8421f88b56dbe6fef71a3d3bab98ec709d99550a13d4ced6d5661db344300e4290f49cc3780f04c2870fba6387ace71654
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD5ab895b9bcf954d194d956032a934efcb
SHA1a012c5d8b9980cb28abb2649d11dc2045bb4ea25
SHA2561b74d12bf62f9afe626593e2f9f2396f43b1afb6a50e9092bc2087f53460c3d6
SHA512e038e5dcf44eae1e1090bec2c6d311637324d4bba8e274666b1f393a58581341d3da40f152e2ce404a351c7a4af96f2fb97d713f4776784b07471aa0da45f707
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5f0962fd596c03fe64b7058e0c7f23d29
SHA157541bc8523c45e1b0ee548e86e450d67ef82e26
SHA25683f294b0dd0a50601ef93e3ddcd90fbe865ca6b9ae766c0cee2f57046edf54a3
SHA512de1edb593f4e99d0ce9f40260b1343a1b48df5090ceb6d7ac8cacf8721b6d1b8426139fe8681bec8fb39f64160f7d563a6e1928974107ddf7b9591934a22fb15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD589c77529a2539f0d9dfef5c1e733a7d1
SHA1b038d4151c235d4641c360be99e861305d847dc6
SHA2568bf48eabe410fa32a8514f11aee33bd32dd5239680a741308714e95aa55b0f62
SHA512f4bbb205f03dd82f690e4c76885bfcdbb0195a61d30349b4f74f31c41fd38f6fd06e8cb41761882fb5356cc440a1124ba27c42494df892f20d7110bf719bd799
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638054212936815375Filesize
4KB
MD5d99103e07b489816c567d95294f9424d
SHA1579593695c2eb99ff6eafd790ba9f0d29444deef
SHA25608281b47fbffec8fd0b0ad0caf5a0a49aab54ad07c3bfe2212337c8878094372
SHA512a91492d3051a8dd7f8a7ae001a39e25b3b0539e1e0cf630f53ff9e91edcd9553587826aff7ee348c6b45369bc50b982797e3b9370bddbb1bf9869c4852a319e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982Filesize
450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
\??\pipe\LOCAL\crashpad_4544_QOBSXQTAUXNMNHZGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4684_JAOVLFFAKDMZHWRIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/208-191-0x0000000000000000-mapping.dmp
-
memory/384-182-0x0000000000000000-mapping.dmp
-
memory/1064-194-0x0000000000000000-mapping.dmp
-
memory/1160-185-0x0000000000000000-mapping.dmp
-
memory/1620-196-0x0000000000000000-mapping.dmp
-
memory/1700-183-0x0000000000000000-mapping.dmp
-
memory/1936-165-0x0000000000000000-mapping.dmp
-
memory/2072-142-0x0000000000000000-mapping.dmp
-
memory/2164-141-0x0000000000000000-mapping.dmp
-
memory/2172-176-0x0000000000000000-mapping.dmp
-
memory/2356-162-0x0000000000000000-mapping.dmp
-
memory/2488-159-0x0000000000000000-mapping.dmp
-
memory/3196-146-0x0000000000000000-mapping.dmp
-
memory/3212-184-0x0000000000000000-mapping.dmp
-
memory/3268-193-0x0000000000000000-mapping.dmp
-
memory/3376-169-0x0000000000000000-mapping.dmp
-
memory/3452-135-0x0000000000000000-mapping.dmp
-
memory/3536-187-0x0000000000000000-mapping.dmp
-
memory/3560-133-0x0000000000000000-mapping.dmp
-
memory/3640-178-0x0000000000000000-mapping.dmp
-
memory/4304-171-0x0000000000000000-mapping.dmp
-
memory/4484-174-0x0000000000000000-mapping.dmp
-
memory/4544-132-0x0000000000000000-mapping.dmp
-
memory/4684-134-0x0000000000000000-mapping.dmp
-
memory/4708-180-0x0000000000000000-mapping.dmp
-
memory/4904-189-0x0000000000000000-mapping.dmp
-
memory/5068-167-0x0000000000000000-mapping.dmp