Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
14-01-2023 00:16
General
-
Target
bb93cc9ac1cab079b9d6de25f206129f.exe
-
Size
141KB
-
MD5
bb93cc9ac1cab079b9d6de25f206129f
-
SHA1
ba3a22a55f312eae953e10a352399a2950db42a2
-
SHA256
9ff2439dd5f32e84e058c6ffe6864efefee16651600726b85a4cac2d2c0e4cdf
-
SHA512
34eaa395573d6ae9c7ebb8b192b08549e49a0eb4da47ca280a5ece763fb927f60dba669b8adf7ab3a45a8a21eb438851ec484523b948bb6718a963ee08de92b7
-
SSDEEP
3072:RARHROub6IiZktM+t4B6IZeAzaZyJ6QYzHHxgGT0Iw:RkxbQktMo4BRiyjYz6GTrw
Malware Config
Extracted
quasar
2.1.0.0
Office01
172.81.131.113:4782
VNM_MUTEX_OFUOtYdHQP7Y7fAk1P
-
encryption_key
xufMEowCMSpdPlEx87tq
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mvscs
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb93cc9ac1cab079b9d6de25f206129f.exe"C:\Users\Admin\AppData\Local\Temp\bb93cc9ac1cab079b9d6de25f206129f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\updaters.exe"C:\Users\Admin\Documents\updaters.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\mjzccittF.exe"C:\Users\Admin\AppData\Roaming\mjzccittF.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\mjzccittF.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIgc4K4XegwQ.bat" "4⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff39374f50,0x7fff39374f60,0x7fff39374f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,14638215048908675132,12270683449698795270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.0.586779787\247591923" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 1 -prefMapSize 219989 -appdir "C:\Program Files\Mozilla Firefox\browser" - 116 "\\.\pipe\gecko-crash-server-pipe.116" 1780 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.3.875833766\449351031" -childID 1 -isForBrowser -prefsHandle 2528 -prefMapHandle 2356 -prefsLen 112 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 116 "\\.\pipe\gecko-crash-server-pipe.116" 2516 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.13.2035258291\1789011032" -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 6894 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 116 "\\.\pipe\gecko-crash-server-pipe.116" 3712 tab3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff35b246f8,0x7fff35b24708,0x7fff35b247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x218,0x24c,0x7ff7584b5460,0x7ff7584b5470,0x7ff7584b54803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9538355874389228656,10446649698979144001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0x108,0x7fff35b246f8,0x7fff35b24708,0x7fff35b247182⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
106KB
MD576548470bfdc6536cceea847c3fe639b
SHA1de69cb5eb101ff8d7eea3d3610d63b9014eb8257
SHA2560fbe172e7d349d59a26c1fea8ff5e0fddb5006e56bc40d2151df4a37a36019c9
SHA5123707e6fe9dfdeea9c04da68b2f220c274916cc593972bdc624f85c5e49cfb8d3c21cda14922920a7bab3526853e7a4c28b20a58f48282344a58a385780fdcf28
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56b3b51fd8fd42de1d6c6a6f552e8841d
SHA1d1578357a5815c492f83368224c22f558dde103b
SHA256ebbf55bdb9fce635ab060b157c7077959ee241b2c0a57849a358fe16949ffbd3
SHA5121c43eb862c86188347ef2d8299c0cf893dd0979b631be9e8dcde7f61e342ea57984c968a3198c467e2343d8362b86f771c1f7c05516be79f8435abab793813f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56b3b51fd8fd42de1d6c6a6f552e8841d
SHA1d1578357a5815c492f83368224c22f558dde103b
SHA256ebbf55bdb9fce635ab060b157c7077959ee241b2c0a57849a358fe16949ffbd3
SHA5121c43eb862c86188347ef2d8299c0cf893dd0979b631be9e8dcde7f61e342ea57984c968a3198c467e2343d8362b86f771c1f7c05516be79f8435abab793813f4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD54bc5705dca0e6436fe7dc913a6706b9e
SHA177074b5fe43b211e2d638f912306b3fec15c5bfe
SHA2568a84e62df4df16d7afe07ec12459742154a059894f3e6c0845f9ce194bae6139
SHA51287cafc6d043df5ad142335b8037386774baef262d14ed5e47e81c59f35c16e097bafef6634d1eb2e2fb09cfaa68213f0ee7324947aa973e6f94e4be464fc82b2
-
C:\Users\Admin\AppData\Local\Temp\freebl3.dllFilesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
C:\Users\Admin\AppData\Local\Temp\mozglue.dllFilesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
C:\Users\Admin\AppData\Local\Temp\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\nss3.dllFilesize
1.2MB
MD5d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
C:\Users\Admin\AppData\Local\Temp\softokn3.dllFilesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\wIgc4K4XegwQ.batFilesize
203B
MD59f44b7ba8b566d12e5859e6ff52eb1d7
SHA15decf21e68f5062c5f409479d24648e76736d309
SHA25628730178c8b04043ab966dfd7f714ec87bcc5f7a9025c78499f55f4a96509869
SHA5124521f5b0e1865fcc2293352ecb8c6699afeb01a22e6518afac8a5c425978e4070e2e0d94ea1fd8401a09479dbeac4d31dff912b6d8085c0fc318db2baf749dce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkFilesize
2KB
MD5f4a4bcf912089d83746e1ca84b294a4d
SHA141cc0b842f65285b05c614d4cab096aafc252259
SHA256e507c8ad2775d8c229237e3a28ebc61a339345d61f486b2c33be3bbcd17b979a
SHA512c52b9fa5d2d85add243e7be14f3ad7abbb87a78d12127eb07b6be536ab4c296fdcba953cfb943308c919f9a50df1a1fedf20ef21ce0a5486d6567d373364a9c0
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Roaming\mjzccittF.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Roaming\mjzccittF.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\Documents\updaters.exeFilesize
141KB
MD5bb93cc9ac1cab079b9d6de25f206129f
SHA1ba3a22a55f312eae953e10a352399a2950db42a2
SHA2569ff2439dd5f32e84e058c6ffe6864efefee16651600726b85a4cac2d2c0e4cdf
SHA51234eaa395573d6ae9c7ebb8b192b08549e49a0eb4da47ca280a5ece763fb927f60dba669b8adf7ab3a45a8a21eb438851ec484523b948bb6718a963ee08de92b7
-
C:\Users\Admin\Documents\updaters.exeFilesize
141KB
MD5bb93cc9ac1cab079b9d6de25f206129f
SHA1ba3a22a55f312eae953e10a352399a2950db42a2
SHA2569ff2439dd5f32e84e058c6ffe6864efefee16651600726b85a4cac2d2c0e4cdf
SHA51234eaa395573d6ae9c7ebb8b192b08549e49a0eb4da47ca280a5ece763fb927f60dba669b8adf7ab3a45a8a21eb438851ec484523b948bb6718a963ee08de92b7
-
\??\pipe\LOCAL\crashpad_5456_UODHMMKSJBTHMISLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_1104_SPFDMIORSHWRKPIQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-163-0x0000000000000000-mapping.dmp
-
memory/888-161-0x00000000060E0000-0x00000000060F2000-memory.dmpFilesize
72KB
-
memory/888-158-0x00000000006B0000-0x000000000073C000-memory.dmpFilesize
560KB
-
memory/888-159-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/888-160-0x0000000005080000-0x0000000005112000-memory.dmpFilesize
584KB
-
memory/888-162-0x0000000006500000-0x000000000653C000-memory.dmpFilesize
240KB
-
memory/888-155-0x0000000000000000-mapping.dmp
-
memory/1100-203-0x0000000000000000-mapping.dmp
-
memory/1816-212-0x0000000000000000-mapping.dmp
-
memory/1816-208-0x0000000000000000-mapping.dmp
-
memory/1872-174-0x0000000000000000-mapping.dmp
-
memory/2124-171-0x0000000000000000-mapping.dmp
-
memory/2188-138-0x0000000000000000-mapping.dmp
-
memory/2188-177-0x0000000009450000-0x00000000094F7000-memory.dmpFilesize
668KB
-
memory/2188-184-0x0000000009450000-0x00000000094F7000-memory.dmpFilesize
668KB
-
memory/2272-211-0x0000000000000000-mapping.dmp
-
memory/2504-143-0x0000000007120000-0x0000000007152000-memory.dmpFilesize
200KB
-
memory/2504-136-0x0000000005880000-0x00000000058E6000-memory.dmpFilesize
408KB
-
memory/2504-133-0x0000000002650000-0x0000000002686000-memory.dmpFilesize
216KB
-
memory/2504-134-0x0000000005120000-0x0000000005748000-memory.dmpFilesize
6.2MB
-
memory/2504-135-0x0000000004FA0000-0x0000000004FC2000-memory.dmpFilesize
136KB
-
memory/2504-147-0x0000000007250000-0x000000000726A000-memory.dmpFilesize
104KB
-
memory/2504-132-0x0000000000000000-mapping.dmp
-
memory/2504-146-0x00000000078A0000-0x0000000007F1A000-memory.dmpFilesize
6.5MB
-
memory/2504-144-0x00000000707C0000-0x000000007080C000-memory.dmpFilesize
304KB
-
memory/2504-145-0x00000000064E0000-0x00000000064FE000-memory.dmpFilesize
120KB
-
memory/2504-150-0x00000000074D0000-0x0000000007566000-memory.dmpFilesize
600KB
-
memory/2504-148-0x00000000072C0000-0x00000000072CA000-memory.dmpFilesize
40KB
-
memory/2504-141-0x0000000005F50000-0x0000000005F6E000-memory.dmpFilesize
120KB
-
memory/2504-152-0x0000000007590000-0x00000000075AA000-memory.dmpFilesize
104KB
-
memory/2504-137-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB
-
memory/2548-210-0x0000000000000000-mapping.dmp
-
memory/2560-200-0x0000000000000000-mapping.dmp
-
memory/3708-167-0x0000000000000000-mapping.dmp
-
memory/3708-170-0x0000000070630000-0x000000007067C000-memory.dmpFilesize
304KB
-
memory/3812-175-0x0000000000000000-mapping.dmp
-
memory/4280-173-0x0000000000000000-mapping.dmp
-
memory/4672-149-0x00000000707C0000-0x000000007080C000-memory.dmpFilesize
304KB
-
memory/4672-142-0x0000000000000000-mapping.dmp
-
memory/4672-151-0x00000000073E0000-0x00000000073EE000-memory.dmpFilesize
56KB
-
memory/4672-153-0x00000000074D0000-0x00000000074D8000-memory.dmpFilesize
32KB
-
memory/5096-172-0x0000000007190000-0x000000000719A000-memory.dmpFilesize
40KB
-
memory/5096-164-0x0000000000000000-mapping.dmp
-
memory/5412-213-0x0000000000000000-mapping.dmp
-
memory/5476-186-0x0000000000000000-mapping.dmp
-
memory/5648-188-0x0000000000000000-mapping.dmp
-
memory/5664-189-0x0000000000000000-mapping.dmp
-
memory/5864-192-0x0000000000000000-mapping.dmp
-
memory/5968-195-0x0000000000000000-mapping.dmp
-
memory/5988-197-0x0000000000000000-mapping.dmp
-
memory/6064-199-0x0000000000000000-mapping.dmp