Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 08:48
Static task
static1
Behavioral task
behavioral1
Sample
69fefc7584266eb0fe60c83e3cfc0adc.exe
Resource
win7-20231215-en
General
-
Target
69fefc7584266eb0fe60c83e3cfc0adc.exe
-
Size
471KB
-
MD5
69fefc7584266eb0fe60c83e3cfc0adc
-
SHA1
cdf7a76db1d6e20ba9283bea90a232e1458685f5
-
SHA256
48ac6535a5b415175574538f76ac51a6ecc0bc89f6091e1ed8328f92215cfe26
-
SHA512
24dea1cd154a5e44b18a2dae6246dbec1ec70be4b6f23045601b4148fd5d65a7816b70ef6e19e79e47596d7cc5a59c859e7f5f2de52856fa8853824cbbc2a2ad
-
SSDEEP
12288:4j18JfmmwWXT/0uaogTseX0yLFl30leziGt3QNl:oCJYuLgoeRFlkkziGtANl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Deletes itself 1 IoCs
pid Process 696 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 69fefc7584266eb0fe60c83e3cfc0adc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3544 set thread context of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3076 set thread context of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 69fefc7584266eb0fe60c83e3cfc0adc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3012 msedge.exe 3012 msedge.exe 4280 msedge.exe 4280 msedge.exe 4348 identity_helper.exe 4348 identity_helper.exe 5008 msedge.exe 5008 msedge.exe 5008 msedge.exe 5008 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeIncreaseQuotaPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSecurityPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeTakeOwnershipPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeLoadDriverPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemProfilePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemtimePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeProfSingleProcessPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeIncBasePriorityPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeCreatePagefilePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeBackupPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeRestorePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeShutdownPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeDebugPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeSystemEnvironmentPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeChangeNotifyPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeRemoteShutdownPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeUndockPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeManageVolumePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeImpersonatePrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: SeCreateGlobalPrivilege 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 33 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 34 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 35 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe Token: 36 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe 4280 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3544 wrote to memory of 3076 3544 69fefc7584266eb0fe60c83e3cfc0adc.exe 93 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 2352 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 94 PID 3076 wrote to memory of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 PID 3076 wrote to memory of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 PID 3076 wrote to memory of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 PID 3076 wrote to memory of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 PID 3076 wrote to memory of 1592 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 95 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 3076 wrote to memory of 696 3076 69fefc7584266eb0fe60c83e3cfc0adc.exe 96 PID 1592 wrote to memory of 4280 1592 explorer.exe 99 PID 1592 wrote to memory of 4280 1592 explorer.exe 99 PID 4280 wrote to memory of 1340 4280 msedge.exe 100 PID 4280 wrote to memory of 1340 4280 msedge.exe 100 PID 4280 wrote to memory of 1012 4280 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"C:\Users\Admin\AppData\Local\Temp\69fefc7584266eb0fe60c83e3cfc0adc.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:2352
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0ad046f8,0x7ffe0ad04708,0x7ffe0ad047185⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:85⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:15⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:15⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:85⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:15⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:15⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:15⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:15⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:15⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:15⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5300361902073298758,13481599648336509684,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵PID:1944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0ad046f8,0x7ffe0ad04708,0x7ffe0ad047185⤵PID:4336
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- Deletes itself
PID:696
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64c80631-2f76-4ffd-8e5f-e794f34b7bf4.tmp
Filesize5KB
MD50d2b340d19f04b8e9250712ad63dd391
SHA1562cf1249ef9ed5e08c822f7977c4dd6701f2950
SHA25650ef7d82a67b6a510035a2fb84251c32f3faccea980261cacaea35396bec3695
SHA5125ce084f8c472814292c8266e2d41aaeb2ea1fdfd50839c1afbcddbedad66c350f607725b025da581fd8f670864d3fac23df1edafadfc56e65335f7aacf6a09ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5f75bb07420cf1d066b2a5c2f6faaf474
SHA1cc5294ad983e842fa5a8c30d694bd85d2d73691a
SHA256adc067d62306d10514737a30460a91ed94f66de2b262542fb8f4ce2263b09619
SHA51267d9c07e53edd32165ff08e5f2d90761fb3e3ff10b15280078816521942146e702344eda507674eebb987f7883380dd018a21acc62d8648e10cdddfe5ebc5197
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5c990fcc725a9b029a11d6726251b203f
SHA11e6f4a865d44afd4866adbe16ec07988f21efdb8
SHA256e60adfb57ca27ca099fed7b688114bb5a9815c149a7bcaa65ebe07240f1aa040
SHA512160bdf32f3a9dcc77792c305937941d4ed0a4a3a4ab6b9e969dc8a8dbcdc5cb9c25051cebcf9f74ee53271b69d0b5048387ac8a9ad0c88b025ce5bf53eb8bd28
-
Filesize
6KB
MD5fd5f65ac2211e192d250ace835921743
SHA17261cad7d69306a80b1c3de3502b876b09f34d2b
SHA256d0b7e6f882781be98620a7bb685d172e1fffce3a36081cbdcc4eb40a3045b092
SHA512dcd17306d9571160d6fa4eb2ac579e5cc821915886a0790ff13aed10e1a704bab9232362ffb16dc51762b509fa2ff64e83a1f8a024b5eb5da8d33f191d998d92
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
371B
MD507291b67fb7f2f3997d511034e11234e
SHA11b934f53d709b465426bae7b8bd5798ceeed5156
SHA2561b7f94d66325f9b4ed3b7d76c45b391019c4c95f18331c31b62b8279302bb9f8
SHA512851e31406d03c68d389958ee620c047474d0b2c8b44ad3864a1638e7717b1c190b34a808cce02c004bd544be2fd9053b68e489362ddf099a25c7a3f8d405e35e
-
Filesize
371B
MD57005cbaefb179ebf265c2f02bd565350
SHA1770fc6c385244f944fbd4299adabeea3e8ca3e65
SHA256ca491a1cd15981100ffd6d5ca64bcdb46a757ac774de81d6145bf9dec2bc254d
SHA5121382e9d62f5c0a9c472ac372341e98d4cd560493e59d19456d8d9f1eaa34d30209e631d37e97c5c71a39a2f4ca48261ac90db7c4461e51dba3e16b952a6cf860
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56186b204c4579e8a157df0158d8bddfe
SHA13226664146aee465038c355d8bac617c6990e152
SHA256ef034407d8bde2625c95eb0b0a16eed3e47940b5546c147265ccbdf885959e8a
SHA512ab3da7bf607c606b924b1b44558975259e9976e5e0e9a0e21ad529d57187e224a8b249899159ad1b29c5ef57673ffa566a3b004fb41c9b2e6fbed405166fef0b
-
Filesize
10KB
MD562555072202e2ceac0ae537d0491dd90
SHA1c49aaeefa8d67dda264fa4c4f19a967bea142674
SHA256a38d13f8bc1c463a41dce751e7a7eab8cbc9dd72181dfa149badbad9df27ac7a
SHA5124cd9acb8e3a5b76c422b4ec50fa360695fb00714c6cc45432370a1e2cb21dfbe1b21610b153051b4eb947ffbb898edf428a2468c894e112340e30774aaf5b369
-
Filesize
1KB
MD5761587764329452e06635280ba83c742
SHA16318d7819bb385f7c9693cbc7cfe0d16310cc4a3
SHA256b4654195eaf6d5191c7f350e402a9372c72d7a629bd9a2b256d17a7767f01434
SHA512262ba6f2b904f23eab762fc0134a8c582b3142854966753736e4bdbcb6b8a84a8c812f1f8969fcf12e3176f686a32bc2b60bb25611daa313a5b970afb4683b68