Resubmissions
26-10-2023 21:19
231026-z592tsgc71 826-10-2023 21:13
231026-z27gjahh85 826-10-2023 21:05
231026-zxldhahh22 8Analysis
-
max time kernel
185s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2023 21:13
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win10v2004-20231020-en
Errors
General
-
Target
setup.exe
-
Size
1006KB
-
MD5
f42a201044931eee29a309600b72d456
-
SHA1
a38c49acdb7c3e0775f2d6dc8b8ea8bd7f32f732
-
SHA256
55e5131f01e0b4db477326c27139ab59c61f33cceb5de503e874197d23d37ad0
-
SHA512
53114bf6f50d276b9cf20c67b7044321e64937af327ab67b87f97f10297996a2a4189b8a9c7215b42a4d01a8bbee211680ed111a9d8f12ced136dd774217b858
-
SSDEEP
12288:T8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6H:gK1D9Y7K1D9Y7K1D9Y7K1D9Yg
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 34 3896 powershell.exe 35 3896 powershell.exe 36 3896 powershell.exe 37 3896 powershell.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup.exesetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation setup.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 205.251.196.135 Destination IP 205.251.196.135 Destination IP 205.251.196.135 Destination IP 205.251.196.135 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exepid process 3896 powershell.exe 3896 powershell.exe 4288 msedge.exe 4288 msedge.exe 3764 msedge.exe 3764 msedge.exe 816 identity_helper.exe 816 identity_helper.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1824 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3896 powershell.exe Token: SeIncreaseQuotaPrivilege 3896 powershell.exe Token: SeSecurityPrivilege 3896 powershell.exe Token: SeTakeOwnershipPrivilege 3896 powershell.exe Token: SeLoadDriverPrivilege 3896 powershell.exe Token: SeSystemProfilePrivilege 3896 powershell.exe Token: SeSystemtimePrivilege 3896 powershell.exe Token: SeProfSingleProcessPrivilege 3896 powershell.exe Token: SeIncBasePriorityPrivilege 3896 powershell.exe Token: SeCreatePagefilePrivilege 3896 powershell.exe Token: SeBackupPrivilege 3896 powershell.exe Token: SeRestorePrivilege 3896 powershell.exe Token: SeShutdownPrivilege 3896 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeSystemEnvironmentPrivilege 3896 powershell.exe Token: SeRemoteShutdownPrivilege 3896 powershell.exe Token: SeUndockPrivilege 3896 powershell.exe Token: SeManageVolumePrivilege 3896 powershell.exe Token: 33 3896 powershell.exe Token: 34 3896 powershell.exe Token: 35 3896 powershell.exe Token: 36 3896 powershell.exe Token: SeDebugPrivilege 1824 taskmgr.exe Token: SeSystemProfilePrivilege 1824 taskmgr.exe Token: SeCreateGlobalPrivilege 1824 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 4288 msedge.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe 1824 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2252 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exesetup.exepowershell.exemsedge.exedescription pid process target process PID 344 wrote to memory of 1276 344 setup.exe setup.exe PID 344 wrote to memory of 1276 344 setup.exe setup.exe PID 1276 wrote to memory of 3896 1276 setup.exe powershell.exe PID 1276 wrote to memory of 3896 1276 setup.exe powershell.exe PID 3896 wrote to memory of 1852 3896 powershell.exe netsh.exe PID 3896 wrote to memory of 1852 3896 powershell.exe netsh.exe PID 3896 wrote to memory of 1396 3896 powershell.exe netsh.exe PID 3896 wrote to memory of 1396 3896 powershell.exe netsh.exe PID 344 wrote to memory of 4632 344 setup.exe cmd.exe PID 344 wrote to memory of 4632 344 setup.exe cmd.exe PID 4288 wrote to memory of 620 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 620 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 1820 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 3764 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 3764 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe PID 4288 wrote to memory of 2000 4288 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "powershell" -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adobe Temp\BlockIPs.ps1'"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adobe Temp\BlockIPs.ps1'"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "name=Adobe Unlicensed Pop-up" dir=out4⤵
- Modifies Windows Firewall
PID:1852 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Adobe Unlicensed Pop-up" dir=out action=block remoteip=107.22.247.231,18.207.85.246,23.22.254.206,34.193.227.236,52.202.204.11,52.5.13.197,54.144.73.197,54.227.187.23 enable=yes4⤵
- Modifies Windows Firewall
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c IF DEFINED InstChk ( START "" "C:\Users\Admin\AppData\Local\Temp\..\Set-up.exe" )2⤵PID:4632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0d6d46f8,0x7ffe0d6d4708,0x7ffe0d6d47182⤵PID:620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:2000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:3592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:3424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵PID:3360
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:1856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:2196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:22⤵PID:4508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4632
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa397b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2252
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56dded92ec95cf9f22410bdeac841a00d
SHA183c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA2561840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD52643ee8df77a4b345db1f039b0e91b16
SHA1dc3d507e8b295b9c90d9dba2e998dc6cfe1e28eb
SHA2568d2687e62679be899a50d65f6401c81989d3c4c43be9894ea67ec96ea1dc6a35
SHA512e4bf8c89f7b82ffa55cf86353da3d741ab37521bf9b647e8e0095038ed5218cc12d8ca265c3c6ddfe20eaaeea57b0f87bf0924182852c16777f13ba6d23e094d
-
Filesize
5KB
MD5cc54c86e84158378e05af949e649ce90
SHA12216a0c6153c09befe13d9f1e37827c5f5842a80
SHA256ce32fe76bbfc17848a5032483d0b6ceabfdb4489dadc8eddf50f059fd3f50f5a
SHA5126a65d452b45a7e331ef2258feb65870f5b27a917a75d9acf48e4b230c1f21a5c90312376f207dc51a9d5562e100a866b558d8b33643a20262aabf1f8925c36b9
-
Filesize
5KB
MD5c6a4c26313ee264653e273d37d0b2715
SHA1fb0b6516a94ba92014b9be27de4f801fd72a0293
SHA25680b131f10072859ab04444718ec777334ec0d9144bfeb333ba7c31342ff70ab6
SHA5125eee5c8a8049932f51be7ac53a0f6f482566c1006798ec2d6afab911725fd88b7b502837218280ee00f29bb87c96d67b8c60064ff6868e549002425314d92412
-
Filesize
24KB
MD5e05436aebb117e9919978ca32bbcefd9
SHA197b2af055317952ce42308ea69b82301320eb962
SHA256cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA51211328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD533cb587926ad1004070d6b806e4e56f7
SHA1afb3aa7e002d59cce4e3f3d4b96c36bd901f7fc2
SHA2565ca953f925e8daca74bcba3f6dd72fd25781ee4493637a88c3933f68ee3bb1e4
SHA51212d74ada672f675c70251d9362e43d1e51105844bf07343913f7eadae35ac7d2dc4864ca3f208f3b9f163d461412db9d503932fb7dec1adc1619b70e02cd8bc8
-
Filesize
11KB
MD51a5591213fb3f6244b0594f0e40a7206
SHA1f2bc0fb3ab55eca535ecafdf809cd44f624e1c10
SHA256bf4f03abd74b6c947fb0feb88891becf52477c00507420e9cbcb196c48e85f98
SHA512724d9bf76c2771f637f283337004a141bcfc104373afc2a88fe29bf0e574abb4f8ee7718d319987bf90500cf10c9fd42dfd9ce71a6d3dcdb5617f2390e3b952a
-
Filesize
11KB
MD5868206ee5831e8f41f39d8aeb3a1473f
SHA1d20eff857901b02e4b493a9f0a1e980ccb545a38
SHA256e2a55a640483c0dca05dc255e0ef3174171670677992e1398254729b0c901786
SHA512822188e405d3cae063ede5288e266448f33a2a44fd4a07a35209fd1811be597352fabce6664bcda08c6f20949c42f8b2456cc24270474286b637876978867048
-
Filesize
820B
MD577a8d3ca91cdb8259c205891832d40af
SHA10635077ff4a866b672756b81a0835bf03d860775
SHA2564954c3748da152bf700dda3606cfe618dfa3c2e6747be47f486a89336c3c6773
SHA5125b9247422f563534baca73d967a461dff3292f17278020fdf94bea3bb683e16721d57784017aae09d0859816198c38ced5c0fe5e5b7c3db0c0ddf07ae26d1fb4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e