Analysis
-
max time kernel
1766s -
max time network
1776s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 15:43
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20231215-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
c5dafabbdca106e67d5cb84874c23303
-
SHA1
8126ac3e70aafc5ba501f2d8377693f481501254
-
SHA256
89a98267e8ef044b4863140f7b4457e76a8164bc7e0f584888d86e4b7705154f
-
SHA512
764e45ed7f76df058cf74925538b0407a8c0ccc6912a91777621fca59e49c9ec5166ed113ee138a1a14f2747b6a24eafbfa6b66ae4881cd73d3effe1fa23b38a
-
SSDEEP
384:PHjZBj6icrri5Z7JAyk/o4YPTvZeKgdSrAF+rMRTyN/0L+EcoinblneHQM3epzXb:/jnHJ7k/o4YjZ7gUrM+rMRa8NuxBt
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2220 netsh.exe 5696 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f13e39aa6ceed1b416727928cf46f71.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f13e39aa6ceed1b416727928cf46f71.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 1756 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4f13e39aa6ceed1b416727928cf46f71 = "\"C:\\ProgramData\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4f13e39aa6ceed1b416727928cf46f71 = "\"C:\\ProgramData\\server.exe\" .." server.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf server.exe File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created D:\autorun.inf server.exe File created F:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 3864 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5836 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe 1756 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1756 server.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1756 server.exe Token: SeDebugPrivilege 3864 taskkill.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: 33 1756 server.exe Token: SeIncBasePriorityPrivilege 1756 server.exe Token: SeManageVolumePrivilege 4344 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 1756 4816 Server.exe 92 PID 4816 wrote to memory of 1756 4816 Server.exe 92 PID 4816 wrote to memory of 1756 4816 Server.exe 92 PID 1756 wrote to memory of 2220 1756 server.exe 97 PID 1756 wrote to memory of 2220 1756 server.exe 97 PID 1756 wrote to memory of 2220 1756 server.exe 97 PID 1756 wrote to memory of 3864 1756 server.exe 99 PID 1756 wrote to memory of 3864 1756 server.exe 99 PID 1756 wrote to memory of 3864 1756 server.exe 99 PID 1756 wrote to memory of 4856 1756 server.exe 109 PID 1756 wrote to memory of 4856 1756 server.exe 109 PID 1756 wrote to memory of 2712 1756 server.exe 108 PID 1756 wrote to memory of 2712 1756 server.exe 108 PID 4856 wrote to memory of 1508 4856 msedge.exe 111 PID 4856 wrote to memory of 1508 4856 msedge.exe 111 PID 2712 wrote to memory of 3396 2712 msedge.exe 110 PID 2712 wrote to memory of 3396 2712 msedge.exe 110 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 4784 2712 msedge.exe 115 PID 2712 wrote to memory of 2748 2712 msedge.exe 112 PID 2712 wrote to memory of 2748 2712 msedge.exe 112 PID 4856 wrote to memory of 3848 4856 msedge.exe 114 PID 4856 wrote to memory of 3848 4856 msedge.exe 114 PID 4856 wrote to memory of 3848 4856 msedge.exe 114 PID 4856 wrote to memory of 3848 4856 msedge.exe 114 PID 4856 wrote to memory of 3848 4856 msedge.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\ProgramData\server.exe"C:\ProgramData\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2220
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb876f46f8,0x7ffb876f4708,0x7ffb876f47184⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3439429934621080023,15271733939082742186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:34⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3439429934621080023,15271733939082742186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:24⤵PID:4784
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb876f46f8,0x7ffb876f4708,0x7ffb876f47184⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:34⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:24⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:84⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:14⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:14⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:14⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:14⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:14⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:84⤵PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:84⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:14⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:14⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:14⤵PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:14⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18270087002603389334,2073048529304392202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4084 /prefetch:24⤵PID:5328
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\ProgramData\server.exe"3⤵
- Modifies Windows Firewall
PID:5696
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /k ping 0 & del "C:\ProgramData\server.exe" & exit3⤵PID:5752
-
C:\Windows\SysWOW64\PING.EXEping 04⤵
- Runs ping.exe
PID:5836
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5452
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:6012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5c5dafabbdca106e67d5cb84874c23303
SHA18126ac3e70aafc5ba501f2d8377693f481501254
SHA25689a98267e8ef044b4863140f7b4457e76a8164bc7e0f584888d86e4b7705154f
SHA512764e45ed7f76df058cf74925538b0407a8c0ccc6912a91777621fca59e49c9ec5166ed113ee138a1a14f2747b6a24eafbfa6b66ae4881cd73d3effe1fa23b38a
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
152B
MD5576c26ee6b9afa995256adb0bf1921c9
SHA15409d75623f25059fe79a8e86139c854c834c6a0
SHA256188d83fc73f8001fc0eac076d6859074000c57e1e33a65c83c73b4dab185f81e
SHA512b9dbadb0f522eedb2bf28385f3ff41476caeedc048bc02988356b336e5cf526394a04b3bca5b3397af5dde4482e2851c18eca8aeaaf417a7536e7ea7718f9043
-
Filesize
152B
MD5011193d03a2492ca44f9a78bdfb8caa5
SHA171c9ead344657b55b635898851385b5de45c7604
SHA256d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0
SHA512239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5138b194dfb032b9e6f0025aa18214bc6
SHA16aafc3548fc2db0c10ca13d02e80f8145b281219
SHA25638892f7afd4816ceb3927b910d3e819b6f8bf9d153c351aa32e3f2f07f3c822f
SHA512fa532beeef625d1c8bcc6e1163eea8486caceee8b5904c555b7b9aefc97de60aae24260b98c2be7fd0adb08ff8edd1b8a895c2d126f5a7254c77cd5b47ab0386
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
977B
MD5453752533559cf35fe9d6e062dc39d1b
SHA169d9a6c2c601f185e1233a92378c86af53891a2d
SHA2565abd6219822533abd0cdff9fb8f896f440005c990235998f34d6e11c1b39230f
SHA51262d84cd3083b6800f2dbcca796d71294a56bb0e389d9c174cdbb7bf41809e147a74d180a20957dd26e878fd320a30ed77545f1ec455287e7cf726c8b83dddd96
-
Filesize
5KB
MD56bb95478c03bd0970b398195d6aa13a5
SHA131f5525bd9ae77bf332caa8a5f6deaf0268ea505
SHA256ddca2026ff9f5117bbe8a3a961c82dea63912cb2332b41896750bf107e470c81
SHA512c406107b1d7678a3e7b959d56e17d934c1fa423fdb938e004d79a4c16f88ef7f665d1b6657c557aa0ebf7b7fbf7ec68246fec25f2b83817bf9e8a6b6920d7f42
-
Filesize
6KB
MD5c5f38a0eb7d5b97908228d08d6e37a86
SHA1cc97d362e34388b803a9b7da50383485f0ff5726
SHA2567c2e121193a1a47774778966f89d54dfd9ce962f8daad72697f59bac2f9c2afa
SHA512091aacb271dc680c7b484da2f8cca1d10b4ded977511acfa30fc7a7ce467bcce7a020f23cdca6c299c33eed75196342f7e6c4054ab7c330ef3b0a190c9f80304
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e7190fe0-a8d4-4fdb-9601-e1f1dd7e6d06.tmp
Filesize24KB
MD5f5b764fa779a5880b1fbe26496fe2448
SHA1aa46339e9208e7218fb66b15e62324eb1c0722e8
SHA25697de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d
SHA5125bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745
-
Filesize
10KB
MD5afdcb844d41b6376ec3afadc8acd70ce
SHA1e918c1c05a7087d3b298fb34322a7dbe0de6dee7
SHA25661f9d177b1568b2047b9b84296ea68660bef0042da8d7badfcb1cae9b40b51fa
SHA51277ca258968e730295841705a3955bd0672e2204b6b618520a00bd3c6088623a7332fe87228768422c713e41a6cdd87f029802b19f89d8f7a62d200fb1ed6d1a1
-
Filesize
2KB
MD53e367f6f51ff9fc391d40bd5e8f3c9b9
SHA12338f8d129777dbf170dcf27f9c13d25ae126a00
SHA256518c02cbee4b72799cfdcb28afd2b1399b18a3c8261f34ccd29b93a87ccf75c5
SHA512cc8bc143a0dd02332c12652d6a71993275ff395f3b1cba9a105d1e86d6a3bc040646857b7760257624642fb3a9b8fb8d24e5f68bcaeea59dc8bdf24b0f097187
-
Filesize
10KB
MD5305c6d743d25f4195ce362fcae561297
SHA1136593d0d74261c65ba77181c5764ba814bf26ef
SHA25615d9af13b1e8f3b8ad39caba4c1bb7e99709ad2bd4da9e78e57e399791d1e4a7
SHA512891876eedbf6e0af07a09bc851b287991f2dd9ee7eef2b42950e6013504150b873ed13ecb897dcddcba784ea16e110f60c00a7ab158b97e365f63f66241cbda1