Resubmissions
11/02/2024, 20:27
240211-y8tnksdb78 1011/02/2024, 20:21
240211-y5dg7abb61 611/02/2024, 20:11
240211-yymsaada97 611/02/2024, 20:06
240211-yvk5aaba9v 611/02/2024, 19:54
240211-ym1vrsda45 10Analysis
-
max time kernel
314s -
max time network
309s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
winrar-x64-624es.exe
Resource
win10v2004-20231215-en
General
-
Target
winrar-x64-624es.exe
-
Size
3.5MB
-
MD5
1da8374156fc6492f06828e55ea4dc13
-
SHA1
4923d045851434d65ce7c56b7e1bd73a08fc2305
-
SHA256
c94ed445611ed35ebbe8c3c2af5c17e20cdb8ef76ecbc1ef535bdec7ccf08f4b
-
SHA512
445392ffca842263310d0f4b8371e0bfd6bcb40d9e846d645c73616b252315b0603d7e538d9e5415028c35f747989da5c14566cf356860304e889ae7f12565d2
-
SSDEEP
98304:jwBOBfKqQ0K1MTXtbysMqIpmCcBQz/J6+14CeZx1kR7:jw/qQv1MTXhysMs1BQnG1G
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Antivirus Pro 2017.zip\\[email protected]" [email protected] -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\M: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 97 camo.githubusercontent.com 103 camo.githubusercontent.com 124 raw.githubusercontent.com 125 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] File opened for modification \??\PhysicalDrive0 [email protected] -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{6D4CC28C-FB86-4CF6-B3E0-BD08B07C81B0} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4144 msedge.exe 4144 msedge.exe 3480 msedge.exe 3480 msedge.exe 2804 identity_helper.exe 2804 identity_helper.exe 772 msedge.exe 772 msedge.exe 3600 msedge.exe 3600 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 3480 msedge.exe 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4436 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] 4592 [email protected] -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4492 winrar-x64-624es.exe 4492 winrar-x64-624es.exe 4436 [email protected] 4436 [email protected] 4592 [email protected] 4592 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 4888 3480 msedge.exe 96 PID 3480 wrote to memory of 4888 3480 msedge.exe 96 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 2864 3480 msedge.exe 98 PID 3480 wrote to memory of 4144 3480 msedge.exe 97 PID 3480 wrote to memory of 4144 3480 msedge.exe 97 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99 PID 3480 wrote to memory of 3448 3480 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4492
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\6db21628a89c400bbac46da6003f89b5 /t 872 /p 44921⤵PID:2848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2f1446f8,0x7ffb2f144708,0x7ffb2f1447182⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3372 /prefetch:82⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12909336967927217367,17086257991626919881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:82⤵PID:5096
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4844
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4436
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\94d0b30e6d284882be7cfd41ee8abcb1 /t 3404 /p 44361⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD52cdd3589737bf6fbfafe5ae7e8781df8
SHA1a8333a2b39080212aa2798f8312d66217940f118
SHA25625af73325fbadd4399ec80349c0e9984714da903eddf6704f32b747a7e473fb5
SHA5124e7409142441cba7d1d00bc2a75092fa596827d9f897e145c1dce2f15aee5aa7d3f9b92c8a0f481cc92708bb57543e1a8693906c93c8c0f5fb802a95d202df33
-
Filesize
868B
MD5720cf43cff4642cc701e15ba7da20410
SHA19598c999a4937b2e80e0c7bd8aabd74b5cf27bc8
SHA2568aa8697a4db634220a3892de3aa9d4250a2c7b744faacbe2ed4dec96992f476f
SHA5128ff6298cfa9a7df6b44d9f30606d41715c39b7569954d3d1756b32264c398ecfe0263c0ee1db4d37c5be27c2a76f8b5b1af49cba5811e10e8fa8b1ef058fae85
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
951B
MD5d2b26346e08578acbe88d75b38fa5b55
SHA1130eda8eedc17c520ad8b5a9f9cacb3b425d94f9
SHA2567b52f05419c72b2edfe95b60ff43e217df8dee30c31153b17390a88440f5b935
SHA5120e5fac2e1b0c966f0feb318f93c80ce1e1e4009dbdf1b1611a7288b06d6cc27c1ee87d6e60ca6661a621abf7a82b204ebcc5c7a347cd27b38c4f082af5e953bf
-
Filesize
5KB
MD55a52b1fe2fb1cd226e74e14e68f8d492
SHA1974cbe9b70f6a12a077bbbbba2fa6e8302fc92cc
SHA2566b2e40edaa2fe0d392fdb565b43276b1090361cbe71a1703e5ad9ef4edb0773a
SHA51205f5c187c0fbb8c13b0bfacbd6bd555063ee726c9cdba7878a4771cfc9beec636fb7f3337b2061857a1824ec52bcc3114b168030b745519ca3b217b29f52c528
-
Filesize
6KB
MD5d8c6063c6c294fbbacb3ae4e078a3b07
SHA1aa5dffd5e814f76e4b8f74830644f55072e97f70
SHA256b6ce859f055a7ca36d2c941c1ef56a1875e983259d09200a1140dc5622c1fb9f
SHA512f1db4a5843cef2274e37ef2dd8d1516c82df13cc70b2d9b10e52368e4474d60cdfa298c3d42226599ba358cd6916ad591a81472ea9e718e79ba85fb807b9fbbe
-
Filesize
6KB
MD53569795985b6246470e81b7ea1da5689
SHA115a2be863074ce95d8da02469e4112d69a6eaffa
SHA256495fd9e71dc05b7c9ba757aab929ec8a0970c1e23fb6f7ca449587b25621760e
SHA512857cbd7690fd6884dd7a491ec81d3a7e0f97c50e127403fc0db5bcb3e3ec06cb3e6443ee8c82e80dbbd6df4f07484f7575fd6c39249c0cf36c23a3306a522c80
-
Filesize
5KB
MD53aa457b6e1d96551a35ef0fdb775414d
SHA1eb1033f849fbf481b812928e6f74ace25d0c2c3f
SHA2569cf53529a624a2a18b6ee56ceb08994420bf95823f2d8569fed30f17f06b19c8
SHA512f50b623a3e4a3451963e9d935cfb556e0fc3755c6cf8a463db5d65d39346deba81fe51e252182e9645d968cbc12203c42833b9ed104a00ae2a05dec90f03049a
-
Filesize
7KB
MD5cd7b6f952e73f5c3d0d389e8539bcfcf
SHA17468d4586c45c17573805d289e67ffeb36d5f263
SHA256c811feb779f58e2ed08bc9a59089ec073708ca09f5e2ac4c444a7b5ff4ba9e41
SHA51231a6e0f8fdf54169ca5df1169c9ccf9b21f0302cbc432ac4cdd2c0b62ae878bb7fd500a6ca9e83439bc2aee1c8dc1aee497f681ee80bb96248414516ad7bc384
-
Filesize
5KB
MD5ffe62ea982d9b95a10d0a2cbf78b5513
SHA1b5c74788d7b1db90dfcdc7518d5808758fb851fc
SHA256e361c4c5a7a8b45a1b1c039c0c4c2803f84e9289eaef81aacccf0ea9e19cd231
SHA5120a5fcdf180eac7a66dab8418927b35dced6d8ceaa7273b2bdf741ac2ef2f7a344be58e7f4911c65a9583c4d99b81d47ec80aa6248ea8f2dd498fbb3bd9f21e8d
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
1KB
MD5c603edf6e172bf21a934f224bfec9c15
SHA1700b5e8101e1fab83c4c6d08bb334c5da1b28bf2
SHA2564523581365d5f370ba742f280a6730a57762332dfa4385f2f5a054ebb46037d8
SHA512321426d32534ba0103faa5f026814d8a8889932c6edfafb9283e2f630925143d6e795090e82efc85ce700090717d89cf15553e79f9813001a911f3a79557187f
-
Filesize
1KB
MD5be519b4118a8fb7bf88974701d4014c8
SHA1b428412cea62ead1c2bc0360ed90a8d6c0859613
SHA2560f0711a814605abbb60ec9a1d51eea60dadbb6f344407def70b73eb358f6ef2c
SHA512eee8b4ea99dffd54bba9ac0249fa2418e3073af30d2b1ed9722b905cb371c00c7c4c12bb222914b7584b68fd19124602cb1862f41091c22dbdd75cbc7a3fcf81
-
Filesize
1KB
MD51247c90120f3dd2cc0ce6a7f67dc40f6
SHA1b82b78453fd485ee7ad662f19d18af0aeb192222
SHA2568b88e6a38b492197dc6f7a06c4b6b1890e39f42d4e3810a7105a454c9923f9d9
SHA512e2eabb955ec3210ef0af55b7cd92f71e6ebe40df4c2412ed222e27fd4752dde1b1b618a1386fc60d8f50ba44a107d561e9a257689bc8ae5d3dd9c051195ab743
-
Filesize
1KB
MD5238a0d2ebf0d9bcedb6bc7fba04004ce
SHA1d63927e687d8cb0fae59c985d12a752cb8f208ae
SHA256d9ff61c036a318ffd6b47002fe3eedb3db51f454c99745e59bfbadcc17eecb9b
SHA5124f6b31901f04d42928e3228ea1e29e8f8daeb51c74e6d79ed64e76286ad8ab6c075dffcd37c465117db97d5dc74a00b67340fa8f81d6313132e582a41dbfd84c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5fc42812b73eeec762a924be9c365dac4
SHA1bcefae1b0a374612d603a4dee32885d56c7550cf
SHA25631b6052f0b49e368601240d659412b309a940cb3763bfd0318af2c033eb5f8db
SHA512529ba1c095ed841975bf8417518476f65e3ea5c6c815137f836dc845c6b2c539f600af3bfc6c022cd173c1a3aed39540fc25d25b551b7f0d0258ca70de6e8f6a
-
Filesize
12KB
MD5d62a8ed67e38e186a9d547b33262a45d
SHA132207e52737d776bd8205bcf4db9f7119ae1c03e
SHA25671a111203c5a87faa0fcd3ad514d797a30dd70efa344ea38001a66e7875ddba9
SHA51243ddadb449b32216d3abce8be2ad9b01ca8ddccbe85678830333f1de1afe67dc381f3a71356ba3e01f2bf51a7516a59bf9394f3d133c102fa68b5b231ffa63a1
-
Filesize
10KB
MD57911f832c9b70a7af55a1c06c40f59bb
SHA1b6993aacf8bc43961a5b7da83d80d2e21732f7e4
SHA256b1450b18eb77b2f8d0ef928b0d8c8d0fa3e06d51e3a107169948eb2a842777a1
SHA512bf83a861b1d6bc62060120368c779647c703af8f0cc27e60205857d51975ff28d52105cb407785d89991e11bd0313bea71022078ef7f56867f30c51ddabd32aa
-
Filesize
794KB
MD5ab1187f7c6ac5a5d9c45020c8b7492fe
SHA10d765ed785ac662ac13fb9428840911fb0cb3c8f
SHA2568203f1de1fa5ab346580681f6a4c405930d66e391fc8d2da665ac515fd9c430a
SHA512bbc6594001a2802ed654fe730211c75178b0910c2d1e657399de75a95e9ce28a87b38611e30642baeae6e110825599e182d40f8e940156607a40f4baa8aeddf2