Analysis
-
max time kernel
113s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Services.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Services.bat
Resource
win10v2004-20231215-en
General
-
Target
Services.bat
-
Size
1KB
-
MD5
15c32ce6b0f03e114d12e3fbddfaf284
-
SHA1
715c583f291c0bc7cbce70e917efd2088c5f69f4
-
SHA256
feea3894cc6f58bf511c7d85283cffdddddeafafab3c272a6c26384f4d13d68e
-
SHA512
053d9ea87e77a480e51a27b63868a234a9563600201076c9b75502cca1c7441e2ad4b65b9496751000a0d9839e8ac953104319ed757db7ad6a8074d0c436f87a
Malware Config
Signatures
-
Launches sc.exe 26 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 988 sc.exe 3336 sc.exe 6092 sc.exe 5792 sc.exe 2476 sc.exe 4688 sc.exe 3236 sc.exe 892 sc.exe 4752 sc.exe 5296 sc.exe 4716 sc.exe 4376 sc.exe 5472 sc.exe 4336 sc.exe 1812 sc.exe 4604 sc.exe 2292 sc.exe 4856 sc.exe 5100 sc.exe 5244 sc.exe 1428 sc.exe 3632 sc.exe 3676 sc.exe 5696 sc.exe 4380 sc.exe 4956 sc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
taskmgr.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{475B42AD-2596-4555-AAEC-CBEE46231563} msedge.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
taskmgr.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 2188 msedge.exe 2188 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 324 identity_helper.exe 324 identity_helper.exe 4744 msedge.exe 4744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe 5164 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 5564 taskmgr.exe Token: SeSystemProfilePrivilege 5564 taskmgr.exe Token: SeCreateGlobalPrivilege 5564 taskmgr.exe Token: 33 5564 taskmgr.exe Token: SeIncBasePriorityPrivilege 5564 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe 5564 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemsedge.exedescription pid process target process PID 5264 wrote to memory of 1812 5264 cmd.exe sc.exe PID 5264 wrote to memory of 1812 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4688 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4688 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4716 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4716 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4604 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4604 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5296 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5296 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4380 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4380 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3236 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3236 5264 cmd.exe sc.exe PID 5264 wrote to memory of 2292 5264 cmd.exe sc.exe PID 5264 wrote to memory of 2292 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5244 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5244 5264 cmd.exe sc.exe PID 5264 wrote to memory of 1428 5264 cmd.exe sc.exe PID 5264 wrote to memory of 1428 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4376 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4376 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5472 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5472 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4856 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4856 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5100 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5100 5264 cmd.exe sc.exe PID 5264 wrote to memory of 892 5264 cmd.exe sc.exe PID 5264 wrote to memory of 892 5264 cmd.exe sc.exe PID 5264 wrote to memory of 988 5264 cmd.exe sc.exe PID 5264 wrote to memory of 988 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3632 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3632 5264 cmd.exe sc.exe PID 5264 wrote to memory of 2476 5264 cmd.exe sc.exe PID 5264 wrote to memory of 2476 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3676 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3676 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5696 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5696 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3336 5264 cmd.exe sc.exe PID 5264 wrote to memory of 3336 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4752 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4752 5264 cmd.exe sc.exe PID 5264 wrote to memory of 6092 5264 cmd.exe sc.exe PID 5264 wrote to memory of 6092 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4336 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4336 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4956 5264 cmd.exe sc.exe PID 5264 wrote to memory of 4956 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5792 5264 cmd.exe sc.exe PID 5264 wrote to memory of 5792 5264 cmd.exe sc.exe PID 5164 wrote to memory of 3812 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 3812 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe PID 5164 wrote to memory of 2124 5164 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Services.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5264 -
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵
- Launches sc.exe
PID:1812 -
C:\Windows\system32\sc.exesc config SSDPSRV start=disabled2⤵
- Launches sc.exe
PID:4688 -
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
- Launches sc.exe
PID:4716 -
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵
- Launches sc.exe
PID:4604 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵
- Launches sc.exe
PID:5296 -
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵
- Launches sc.exe
PID:4380 -
C:\Windows\system32\sc.exesc config HomeGroupListener start=disabled2⤵
- Launches sc.exe
PID:3236 -
C:\Windows\system32\sc.exesc config HomeGroupProvider start=disabled2⤵
- Launches sc.exe
PID:2292 -
C:\Windows\system32\sc.exesc config SharedAccess start=disabled2⤵
- Launches sc.exe
PID:5244 -
C:\Windows\system32\sc.exesc config lltdsvc start=disabled2⤵
- Launches sc.exe
PID:1428 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵
- Launches sc.exe
PID:4376 -
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵
- Launches sc.exe
PID:5472 -
C:\Windows\system32\sc.exesc config SmsRouter start=disabled2⤵
- Launches sc.exe
PID:4856 -
C:\Windows\system32\sc.exesc config NcdAutoSetup start=disabled2⤵
- Launches sc.exe
PID:5100 -
C:\Windows\system32\sc.exesc config PNRPsvc start=disabled2⤵
- Launches sc.exe
PID:892 -
C:\Windows\system32\sc.exesc config p2psvc start=disabled2⤵
- Launches sc.exe
PID:988 -
C:\Windows\system32\sc.exesc config p2pimsvc start=disabled2⤵
- Launches sc.exe
PID:3632 -
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵
- Launches sc.exe
PID:2476 -
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵
- Launches sc.exe
PID:3676 -
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵
- Launches sc.exe
PID:5696 -
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵
- Launches sc.exe
PID:3336 -
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵
- Launches sc.exe
PID:4752 -
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵
- Launches sc.exe
PID:6092 -
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵
- Launches sc.exe
PID:4336 -
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵
- Launches sc.exe
PID:4956 -
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵
- Launches sc.exe
PID:5792
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:5164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8be9f46f8,0x7ff8be9f4708,0x7ff8be9f47182⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2188 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:2096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:5184
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:2660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:1324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:2488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:1740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3636860957821869492,6995437657522279729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:5208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5408
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD58227ca9d95b745246104899dbc13fd5a
SHA10201818ef0e25b549f93fa3336c26c9ee6d2f2da
SHA2564b5699f1e144b06895115e1f4f67295f0c698e8851c9ff415d682a3676587ff7
SHA5128cd08d57a1b62ea3a603f3552039c0ea612389a84368fcb4f44bbff36691d86e96d8c5649f2b19c47e09903ce7e245282fe1d1faa824ecb816ddbd3eeb602ce4
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
396B
MD5022e2ea4f3ad8922c2cf2a9aa95cc7fc
SHA1ad8bdeadd8dc7931b8e4702ae6525f5c52f53960
SHA256efd7c8585c0741c6d63ff4e5ee7d40e327ab22792945be4c3815414ce878c912
SHA512b4610ea6ae58a7838d8cb290746061954f4bd6ed0765f9579ac58892af5ee41857ccb3851718d09847a5114022a2a7187c10d90d9baa16e1eb825a9ccd8bb3cb
-
Filesize
5KB
MD579b2987b6617e7fc7e1ee7e8aa07beaf
SHA12d1b83ce84c1064b5023eb11e79d1957074e423f
SHA256a47902dce557be07e9ce196d61daccdf40ff98a9b9ecabd6413cb52ca512338d
SHA512a6e8266f099e07d34bd28d0224902c89c46d30b3d53a1e6075f42273e0ab8f287d39352eef18288eadeedf124bd3336766898ba8d637579785694c6dd293af2a
-
Filesize
5KB
MD52021a4205c0ad7527afe87ab75ebd18d
SHA1bdab56d1d732e76a0213255d840c45a2f3358d31
SHA2562db289a8a30eeb993fdafc26940d6d5c5c279cedfc40e4fbd684aac87a747dbd
SHA5127d5c9f91d9007ed43dc0ffcd2c936f00c40c67797f730a7875569288a8ed73671d111e5d7c3bcfaaf2dd9b65cdf0d6e17ea1701d3de96ab9ca5932e066f84a25
-
Filesize
6KB
MD592f00d951c105074bce9d8e6ca147071
SHA1edbea496bc30718b7285dca4145365731fe72f16
SHA2568daa9f90d8ff5debfd42334d9e5c4f12389ebd6ed584d7d883cd57e2e5965701
SHA5128194d3034c8dc0df609702ac92181ac7ed40d4a2e18f77887c3160356b49aa8f3997268e0a0c5f26811b4f4465b1cd77891539c654fb7c51a6fa98db66c13ee3
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54a99649e71896f93c057d74ac2dc43b6
SHA1e81945e1a701d365ed55856e7a4f490d73070801
SHA256c0fe3e5ccad09204f040ad6a400325d2d05d11378f3ba757122b6718cc7f03ad
SHA512270c04eaa166c2c51ff84d1b0123a20f64d16ebac87827fb6bb386df6d67c03185c06c661b925364c07e5ef4ca6b7c162e8aa58739602c7f8e9642f73393b68c
-
Filesize
10KB
MD58cedd270834974ef920b3de259c0d968
SHA1370ddab0270bc2b13bbeecab0bb8597d05ed4e13
SHA256f26654708744eee6d50cdd63c634ee13b8f4694e34e352789bd6833ea9087ed9
SHA512e8ffd5b3d55d1cd6a65d6776e37ff6e5e9229f3405d326d6b12e66736190772c5a7d69c0094049a6bfb458f8647c541580a3f361d8eda1aca6c2be700569bc48
-
Filesize
7.2MB
MD5299b2d1253c26c0d5b1c1e23f8c4d27b
SHA1aa372b24736f739cfcfbaa4bed885b62ca71858a
SHA256b84631585730826615b1cb9fd23552808521f8376b3540e4375df392b19b526f
SHA512ace1302e434ed04f07841799159bb4ea54353e6a849f66b58d8c45c8f2ec8ee4e1b2f20b8f64080fb667658b00cd8723f74b1fdc680466f3cce0e18216a65c64
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e