Analysis
-
max time kernel
146s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:24
Static task
static1
Behavioral task
behavioral1
Sample
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
Resource
win10v2004-20220812-en
General
-
Target
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
-
Size
566KB
-
MD5
519326c59b148171f46535c4dc22dc76
-
SHA1
6faec1ae10c597455ff6768425c3c57aa31fd855
-
SHA256
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f
-
SHA512
6ba4e65739617f2d174bb3bd840ca8d81e1d5cfc4e6849d876a281f01c78ac5a20e22132542f1c0b7dc20e6be24495cdca623121a4a2c410be9f48fefdade903
-
SSDEEP
12288:e0nyfXuIBDtfuRhKzh5jOZ03O21JDM7eAc/cIkj1LJ+Ul5yxWA9:rny/f9uRhKzT53Bhhkj1LyD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
p3suy.exep3suy.exepid process 1284 p3suy.exe 2388 p3suy.exe -
Processes:
resource yara_rule behavioral2/memory/856-139-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/856-141-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/856-142-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/856-144-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/856-143-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/856-150-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
p3suy.exevbc.exedescription pid process target process PID 1284 set thread context of 856 1284 p3suy.exe vbc.exe PID 856 set thread context of 2388 856 vbc.exe p3suy.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bd7bed10-66c4-489f-b8f5-9f8e06852502.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202135038.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
vbc.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 856 vbc.exe 856 vbc.exe 3344 msedge.exe 3344 msedge.exe 3444 msedge.exe 3444 msedge.exe 2672 identity_helper.exe 2672 identity_helper.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe 4972 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exeWScript.exep3suy.exevbc.execmd.exep3suy.exemsedge.exedescription pid process target process PID 5108 wrote to memory of 4972 5108 f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe WScript.exe PID 5108 wrote to memory of 4972 5108 f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe WScript.exe PID 5108 wrote to memory of 4972 5108 f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe WScript.exe PID 4972 wrote to memory of 1284 4972 WScript.exe p3suy.exe PID 4972 wrote to memory of 1284 4972 WScript.exe p3suy.exe PID 4972 wrote to memory of 1284 4972 WScript.exe p3suy.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 1284 wrote to memory of 856 1284 p3suy.exe vbc.exe PID 856 wrote to memory of 548 856 vbc.exe cmd.exe PID 856 wrote to memory of 548 856 vbc.exe cmd.exe PID 856 wrote to memory of 548 856 vbc.exe cmd.exe PID 548 wrote to memory of 3596 548 cmd.exe PING.EXE PID 548 wrote to memory of 3596 548 cmd.exe PING.EXE PID 548 wrote to memory of 3596 548 cmd.exe PING.EXE PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 856 wrote to memory of 2388 856 vbc.exe p3suy.exe PID 2388 wrote to memory of 3444 2388 p3suy.exe msedge.exe PID 2388 wrote to memory of 3444 2388 p3suy.exe msedge.exe PID 3444 wrote to memory of 3260 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3260 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 3684 3444 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe"C:\Users\Admin\AppData\Local\Temp\f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ixwx\8ry0s.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe"C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && move C:\tdEMCEtdEMCE\tdEMCE.vbs "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdEMCE.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe"C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=p3suy.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf60a46f8,0x7ffdf60a4708,0x7ffdf60a47187⤵PID:3260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:27⤵PID:3684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:87⤵PID:3136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:17⤵PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:17⤵PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:17⤵PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:17⤵PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:17⤵PID:5108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6052 /prefetch:87⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:17⤵PID:2244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:17⤵PID:812
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:87⤵PID:3244
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings7⤵
- Drops file in Program Files directory
PID:400 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6101b5460,0x7ff6101b5470,0x7ff6101b54808⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3740 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:87⤵PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=p3suy.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵PID:4996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf60a46f8,0x7ffdf60a4708,0x7ffdf60a47187⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15396792247596060601,1119565435201053439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:27⤵PID:3224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15396792247596060601,1119565435201053439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:37⤵PID:1944
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cc113cab81df2ff66421c3dd6bf4d31
SHA1c1e1b1e2f007732c8c79eedac889b7312b08990e
SHA25648438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea
SHA512e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD590dc5449f9807a889ec3a578a0180796
SHA18e95bd738df0375245e009dfa359b7bc18320a35
SHA256b3d9897d22975008c8a5eaa79ed2f91046365ff67dfbff4fb50494714363b8be
SHA512922b01d1904d7a153436da1e4ae5faf0a97b496122b4608b8817490b81973b4f0de2ac64c055ec950dd081fb110075546787a28bf280d11023fb7de81d41c7d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD57fab6fd67307a303abba2d801b140e95
SHA18802983c1b3b19968002734668eac124e147d292
SHA256422ee918c31afe677b18000c2612a5406dd978f6f0b824505750b76b5b33279b
SHA512daefcc809606f7ff9a8ea3b833839ee608f1323b8f332d6330f2dc87916b9f292a44e01f110aa1be04e2df6ad002462ce3dc48ca47be4baa6012bb31bb7db762
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD529e46152a8177198377ccd6ef84c4f19
SHA1990db12ae0b37014dd8abe539b6bf2c654c39b5f
SHA2560f9be49edaf36c08e693bd2e4bf0c893de96589eb961dad93f28b5b5210559df
SHA51275253de4332a5014c2e67aa6ae0e80511a0723374a793ad6a467e2a6b9137ab67ab85091dfa15ffc5d1eb4df73ae30cf45de00a521e9186a345fbc0235bed67f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD57fab6fd67307a303abba2d801b140e95
SHA18802983c1b3b19968002734668eac124e147d292
SHA256422ee918c31afe677b18000c2612a5406dd978f6f0b824505750b76b5b33279b
SHA512daefcc809606f7ff9a8ea3b833839ee608f1323b8f332d6330f2dc87916b9f292a44e01f110aa1be04e2df6ad002462ce3dc48ca47be4baa6012bb31bb7db762
-
C:\Users\Admin\AppData\Local\Temp\7ixwx\8ry0s.vbsFilesize
100B
MD5fab804804f7f0ee8008795292b55673a
SHA17213d8934e66c07afb233abb01d3f99de5a866a8
SHA2569314f99fbfc97acdbee1ffa8e5e76f9c8a682f074affb0279e3d394762f08888
SHA51295bf8c806dab70b8ddd7f92a9d76d099fa333e2f7c461f9c3a8cf0ada3e384b734115f96d5642a0100155478f0170a390dce408abe5b7b5d8f8be3b921527842
-
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exeFilesize
89KB
MD588bed359ac934343068b3ebae772d28b
SHA1e7f28a4e2c2650dc14e670ddf71a9fc6738c7a9e
SHA256c4aa98dbeb6afcf1a41eef2da74d1a89ba8d5bfb4c54bec36b7c8e2dbfdbfa78
SHA512b299ce888e8121d689877cb419a5b31cbb3073a1808b53c2b60ed628b691be9bc5af2e6c5858a4a18374d785c57cffb2ee13cc9a295e298176810375dea07af7
-
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exeFilesize
89KB
MD588bed359ac934343068b3ebae772d28b
SHA1e7f28a4e2c2650dc14e670ddf71a9fc6738c7a9e
SHA256c4aa98dbeb6afcf1a41eef2da74d1a89ba8d5bfb4c54bec36b7c8e2dbfdbfa78
SHA512b299ce888e8121d689877cb419a5b31cbb3073a1808b53c2b60ed628b691be9bc5af2e6c5858a4a18374d785c57cffb2ee13cc9a295e298176810375dea07af7
-
C:\Users\Admin\AppData\Local\Temp\7ixwx\xFilesize
463KB
MD5a9303dd438c71b6842e7482f6c0841c6
SHA1f9284ecfecce37c41c71a39d8793b4b86e2e0ed7
SHA2567a6761925987d87495cf05ba4418384f47f9b008be8ae482f982f8a7bbad4e31
SHA512a65cbb2131d8347eda3293a87a3163548d555ae797a70cbe1ec601351604ffbdeb4e9ecab199a84fd0821063e3e34d1e165cffb3bd187372607135ad23c1b82d
-
C:\tdEMCEtdEMCE\tdEMCE.vbsFilesize
207B
MD55cfe2691be4c514bd2bf079484b31584
SHA1fcbe88bb9f5cbb40386beb93999940f0223b7177
SHA256909e76547a44b47c5d562f3cc9e1d086530499911472137f1b7059f6870084f6
SHA512b6d8855fd951561550d40fd36ff903d9ad5b37ae4adc85cdb4332bbf227a091460064b21af238b8f2a1e48a90af71a37efa50c234d016e5b83c0fc17f9717609
-
\??\pipe\LOCAL\crashpad_3444_FDTXPPWWRGGJDZCWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4996_BSQNRCVEOISUWGZQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/400-188-0x0000000000000000-mapping.dmp
-
memory/452-189-0x0000000000000000-mapping.dmp
-
memory/548-145-0x0000000000000000-mapping.dmp
-
memory/812-186-0x0000000000000000-mapping.dmp
-
memory/856-150-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-143-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-144-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-142-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-141-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/856-138-0x0000000000000000-mapping.dmp
-
memory/1284-135-0x0000000000000000-mapping.dmp
-
memory/1424-176-0x0000000000000000-mapping.dmp
-
memory/1944-170-0x0000000000000000-mapping.dmp
-
memory/2244-184-0x0000000000000000-mapping.dmp
-
memory/2388-148-0x0000000000000000-mapping.dmp
-
memory/2388-149-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2672-190-0x0000000000000000-mapping.dmp
-
memory/3132-160-0x0000000000000000-mapping.dmp
-
memory/3136-158-0x0000000000000000-mapping.dmp
-
memory/3224-169-0x0000000000000000-mapping.dmp
-
memory/3260-152-0x0000000000000000-mapping.dmp
-
memory/3344-155-0x0000000000000000-mapping.dmp
-
memory/3444-151-0x0000000000000000-mapping.dmp
-
memory/3596-146-0x0000000000000000-mapping.dmp
-
memory/3684-154-0x0000000000000000-mapping.dmp
-
memory/4488-193-0x0000000000000000-mapping.dmp
-
memory/4540-180-0x0000000000000000-mapping.dmp
-
memory/4600-164-0x0000000000000000-mapping.dmp
-
memory/4772-162-0x0000000000000000-mapping.dmp
-
memory/4964-173-0x0000000000000000-mapping.dmp
-
memory/4972-132-0x0000000000000000-mapping.dmp
-
memory/4972-191-0x0000000000000000-mapping.dmp
-
memory/4996-163-0x0000000000000000-mapping.dmp
-
memory/5108-178-0x0000000000000000-mapping.dmp