Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 17:53
Static task
static1
General
-
Target
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023103-20.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 228 3D3.tmp -
Loads dropped DLL 1 IoCs
pid Process 2916 rundll32.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\3D3.tmp rundll32.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3868 schtasks.exe 2120 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f05f57fadfed4da90210e5099c17770000000002000000000010660000000100002000000047edfad7d5c72f589e620347a75a1b76611594d83a05f26f57e17184271e6622000000000e8000000002000020000000e03a6eef6c204ff9c88e525fcda8506193eff79c534b1eede615f165045a7a8120000000280771ba7abb5e1d3159afba1556fe3a30d39adb6bb6439c01d7519ef1a42765400000005c2afad7549cf28d455ce25898c62d71c38a8594752513cf8ce7674a8c8240e3dc1170284ed1ca4010a51b1d6903f94ee4829a461dc0d127cc4f4bd714c4e5a7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31090104" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31090104" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1089234849" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31090104" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415389449" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C0FF5AC-D1AB-11EE-86F4-F6B7BA242381} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10375f4bb865da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2083444bb865da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f05f57fadfed4da90210e5099c177700000000020000000000106600000001000020000000212f43caf9c154013498d89dba49dbc0e7f6c48532da49dfb0b3242e7e655ec2000000000e8000000002000020000000645ee2e355cd5d86931d21e6406e862de9eba76915a2a7b2c5033c6c240db0d0200000006cb155b737b62ed2ba8894a154f0effc4f646074f27c3ef7ee64ddae95dd1f4e40000000bd1f1610d6353b021b2a3a470e193b474fce1e2db78132a8e0b294d597e3c730d9c65085a87fb43e446720b5a6591fdbafced59bd7817c89e2ab21cfe52f9c0b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1089234849" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1165435045" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1056 vlc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2916 rundll32.exe 2916 rundll32.exe 2916 rundll32.exe 2916 rundll32.exe 228 3D3.tmp 228 3D3.tmp 228 3D3.tmp 228 3D3.tmp 228 3D3.tmp 228 3D3.tmp 4292 mspaint.exe 4292 mspaint.exe 3252 msedge.exe 3252 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1056 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2424 msedge.exe 2424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2916 rundll32.exe Token: SeDebugPrivilege 2916 rundll32.exe Token: SeTcbPrivilege 2916 rundll32.exe Token: SeDebugPrivilege 228 3D3.tmp -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1056 vlc.exe 1056 vlc.exe 1056 vlc.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 3900 iexplore.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 1056 vlc.exe 1056 vlc.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1056 vlc.exe 3900 iexplore.exe 3900 iexplore.exe 4292 mspaint.exe 3632 OpenWith.exe 3808 OpenWith.exe 4292 mspaint.exe 4292 mspaint.exe 4292 mspaint.exe 3084 IEXPLORE.EXE 3084 IEXPLORE.EXE 3084 IEXPLORE.EXE 3084 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2916 1612 [email protected] 87 PID 1612 wrote to memory of 2916 1612 [email protected] 87 PID 1612 wrote to memory of 2916 1612 [email protected] 87 PID 2916 wrote to memory of 2496 2916 rundll32.exe 88 PID 2916 wrote to memory of 2496 2916 rundll32.exe 88 PID 2916 wrote to memory of 2496 2916 rundll32.exe 88 PID 2496 wrote to memory of 4448 2496 cmd.exe 90 PID 2496 wrote to memory of 4448 2496 cmd.exe 90 PID 2496 wrote to memory of 4448 2496 cmd.exe 90 PID 2916 wrote to memory of 1580 2916 rundll32.exe 91 PID 2916 wrote to memory of 1580 2916 rundll32.exe 91 PID 2916 wrote to memory of 1580 2916 rundll32.exe 91 PID 1580 wrote to memory of 3868 1580 cmd.exe 93 PID 1580 wrote to memory of 3868 1580 cmd.exe 93 PID 1580 wrote to memory of 3868 1580 cmd.exe 93 PID 2916 wrote to memory of 1396 2916 rundll32.exe 94 PID 2916 wrote to memory of 1396 2916 rundll32.exe 94 PID 2916 wrote to memory of 1396 2916 rundll32.exe 94 PID 2916 wrote to memory of 228 2916 rundll32.exe 96 PID 2916 wrote to memory of 228 2916 rundll32.exe 96 PID 1396 wrote to memory of 2120 1396 cmd.exe 98 PID 1396 wrote to memory of 2120 1396 cmd.exe 98 PID 1396 wrote to memory of 2120 1396 cmd.exe 98 PID 3900 wrote to memory of 3084 3900 iexplore.exe 109 PID 3900 wrote to memory of 3084 3900 iexplore.exe 109 PID 3900 wrote to memory of 3084 3900 iexplore.exe 109 PID 2424 wrote to memory of 2076 2424 msedge.exe 113 PID 2424 wrote to memory of 2076 2424 msedge.exe 113 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117 PID 2424 wrote to memory of 2124 2424 msedge.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:4448
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3535658540 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3535658540 && exit"4⤵
- Creates scheduled task(s)
PID:3868
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:11:003⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:11:004⤵
- Creates scheduled task(s)
PID:2120
-
-
-
C:\Windows\3D3.tmp"C:\Windows\3D3.tmp" \\.\pipe\{74683556-6F2F-4DD6-8BA6-AA639A1D72D3}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1056
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WriteDisconnect.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3900 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3084
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnregisterSuspend.wmf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4292
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3808
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StepRead.mht1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9dd0a46f8,0x7ff9dd0a4708,0x7ff9dd0a47182⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,981954352691387228,12981270485951492242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,981954352691387228,12981270485951492242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,981954352691387228,12981270485951492242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,981954352691387228,12981270485951492242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,981954352691387228,12981270485951492242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4308
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
Filesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
Filesize
6KB
MD53bedbf76cd1308cb91e18e303142359d
SHA113ba74e652c59560180d7617c80f68b7da0ea02a
SHA256214582fb90eb8660898e07968b49aa2859642ac07e0e04675b0f7c7385fc9545
SHA512a03d97e34aca40fe3bb006da4b5d75afd6b77023c7b88998ecd1908d51ac704d272d5c8dea4b572ec29a5fa22b307959046d1eefd48c8cfd3d8027ac8fe9cef6
-
Filesize
6KB
MD5d8919bbf0b9ceacd5fa4c06ca86f3e30
SHA1f3606846cfd5dbec222f5127c8863494cb9c6cbd
SHA256d6058b49855010a5ee82677c87776853f02a52f75945e9c777f5b3918bd49ef0
SHA512064c6bcb091cd48667ef29c06d99677765e2282ca4cc1fe44bc1bc2036ca9a8cfc44b546a37f66dc438dd3a76cf6a282ff23ca9b532ecef08b0f65314d561c9a
-
Filesize
11KB
MD560e775f421990bff660def4caad39414
SHA12fa3f2aad349e4c9586886cc75271da15ba99f30
SHA2565d19e6916a97a038d1688af251028060fc4ca5ce31481a0b55b6de95fafd464b
SHA512f19a50c763c232875f4ee4690a4fd06d821b0524153ead78062029557ddeaf7f1bb9f482d5834e4d61fecba373907bd5b098ef7153678d4959d6da01048888f0
-
Filesize
11KB
MD59323332e01250f5033c028304ffb6f20
SHA1b132cd20e31e6e0afdc1439dd8fbf49f3ad3e284
SHA256d816bf0faf0676b7f42a33559775fae841fd74cecb904faea1e3ec4e2313859d
SHA5122c0c881d9248c1dfe41fa1bb05d14f72fc1e3e22dc50f19860c7b81777cf4a8edf2a94b2b17efde70dcc911f08906c392b20abe327ab99d4ae22dc287cfc709d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113