Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 03:37
Behavioral task
behavioral1
Sample
ad967292a0b22c3289b6e7e58f45b439.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad967292a0b22c3289b6e7e58f45b439.exe
Resource
win10v2004-20240226-en
General
-
Target
ad967292a0b22c3289b6e7e58f45b439.exe
-
Size
388KB
-
MD5
ad967292a0b22c3289b6e7e58f45b439
-
SHA1
58777aed823b559adff0090a8595b5ce1d57fe1b
-
SHA256
dd7a328ba2cc59cf699efe1a83f45fb9da3837e7cb49e23312d9396e9536cca0
-
SHA512
8eba04c5fb6634ae7cff71b2757315e15930fdb9b43b1f48f2fba023969aaa28291c0dc4e4a0411367d4376dbaeb29660b2448f9e8c95ceb5eb1a5b18a8f711f
-
SSDEEP
6144:RcJNg4pnBwxLQ5ng945GYeunZAuJIVAbERCayvNoiCxy4xHhFmsdRVEbDC8yG:ioc2xU5ng90heunKA4RCay2PxykUy
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000a0000000231d0-3.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2628 JustZIPit.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wab_auto_file\shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shtmlfile\Shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogg\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "JustZIPit_Archive" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\Shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\Shell JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JustZIPit_Archive\ = "ZIP Archive File" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CSSfile\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\Shell JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SLK\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Addin\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Addin\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft Email Message\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\giffile JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shtmlfile\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\Shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JustZIPit_Archive\Shell\Open\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wab_auto_file\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8 JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\shell\JustZIPit_Email JustZIPit.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 2652 msedge.exe 2652 msedge.exe 960 identity_helper.exe 960 identity_helper.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 2628 4304 ad967292a0b22c3289b6e7e58f45b439.exe 88 PID 4304 wrote to memory of 2628 4304 ad967292a0b22c3289b6e7e58f45b439.exe 88 PID 4304 wrote to memory of 2628 4304 ad967292a0b22c3289b6e7e58f45b439.exe 88 PID 2628 wrote to memory of 2652 2628 JustZIPit.exe 95 PID 2628 wrote to memory of 2652 2628 JustZIPit.exe 95 PID 2652 wrote to memory of 2516 2652 msedge.exe 96 PID 2652 wrote to memory of 2516 2652 msedge.exe 96 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 400 2652 msedge.exe 97 PID 2652 wrote to memory of 3684 2652 msedge.exe 98 PID 2652 wrote to memory of 3684 2652 msedge.exe 98 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101 PID 2652 wrote to memory of 2892 2652 msedge.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad967292a0b22c3289b6e7e58f45b439.exe"C:\Users\Admin\AppData\Local\Temp\ad967292a0b22c3289b6e7e58f45b439.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\Documents\AvatarSoft\JustZIPit\JustZIPit.exeC:\Users\Admin\Documents\AvatarSoft\JustZIPit\JustZIPit.exe -firstlaunch2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\JustZIPit\About.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf64146f8,0x7ffbf6414708,0x7ffbf64147184⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:14⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:14⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:84⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:84⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:14⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:14⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:14⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:14⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4629769309711929617,13954050560822664942,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
6KB
MD59f7e7a70d1a39e024cbb94d8f33568c7
SHA1fad06d87f45ed5ae50af6aaf31399c75e5573026
SHA25637529c63578c74e0c8b712683dcea3946d7ee76082e39f8ab41ecd58951c68ec
SHA512f926d5db82493171b879e8f6b52811d4fd591e81b763a72d241b6665eefe1530dea772bba60fb995d0622eb861f1749ed939abcc22d7eb78f4d12be2b4616858
-
Filesize
6KB
MD52a81b130195ba60cba7d88f5871b6647
SHA1d32a898658fba35cd5e8f78f02d752160f68aaf5
SHA2566d546cfa33e9b09f63be8500e9c470f28994d817fcba63ebdfec8a2d31e9b9a4
SHA512be95665d64e36b29243483510393d79c0a94f738de2f8bd5852fc9fefd62af0b7dfd059dba4cc244653d98cf2a93aa1eb2b61d27840aba1fca7e7f60323f0e07
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD509226e77570fc2f59b91ebcb42418a8d
SHA14f80251c0372e873617334e2e8dff70a146e10c4
SHA2562d317ef69fc60643e6e8b27a26c7bb225dc0b99a7c65c8b1a98550ed5ad50895
SHA5126cd21c8e6af4eb98c759f0d782ede6bdef8d85f51f1245684d7adf1000a7154eff989778b90717bbf53cee6a6030dcf2607d881ac760670cf23ea17fb751c61b
-
Filesize
8KB
MD5fc0f18afc6c2335569fdd3a3740fbadb
SHA1a6c8a0596ed082d4cc45200bc978c9b8996e7bc5
SHA256ad20cba40c89a42bbf790909511f1abbe3fd0c447d2dfd2af765aedd301b5dc0
SHA512f02a5931c1248b2e6c01a3d8593f65fd3fcb8d80134652025e125f26150df59da39e6ae33eafc54f92b499742200a6cbc6684efb61c214e27fbbf23411d1bd1a
-
Filesize
7KB
MD593d863301cc193fa02c826bb0a1842b6
SHA1a4bfa710fea863ae8ccc77718b7c0dc480f2d63e
SHA2566360caca4b97f4ee4b8618b22da6f801d9bc676d5fe4c08f381dd9325b0b21ca
SHA512558283635116d4b5b3bbd1210179af001b9d0bf9e8c17dc523e38cfa000149142768cb5b0dacf36f15bceaa954ae0b1039b8618cc27f33b443985b9b20e8057c
-
Filesize
24KB
MD5cf8a857e38a8ffa9bf7fe8959523f55b
SHA1fbbdee84b0750a5be4c061a92554cebc18e660f2
SHA2564391bed496095d4e87c6df4ab4df2f81f15c615b7528acc37de9c5f89ccab905
SHA5122706c368fb6adef8c6a20fcfab2bc8a40b32b6b8e424215ffd1c78b8e3dba7588f1ff433c8356009772987142acccb285c752a080a03a8cbe0843c2508358d48
-
Filesize
16KB
MD590c2a262d7916d53021b7019ec8007c0
SHA10557973f4638e501e8688435ea6f0ec501ecf758
SHA2567d647877d9cd7e320870b34153a24697e0bdb67d07720c6b40e728f5baf4b3bd
SHA5127b2de1f75cdca5091263bc28aa3f1c3be5aa3f2433c020d3453168fd25d125ab268e9dd0359ff44b15c7b980c0e4ea29d329926f137c8941dd76179099d30b1d
-
Filesize
2KB
MD510c0cdffd5977ee7aaf2b59690ff1164
SHA1fb349dbcf7e8abaad7fcb1086fced8d37d87aab7
SHA2562be078a93a03130e600836c4e822197631553d16817b6815d925a0c63ca2d1c9
SHA51253862bd8291b6c3a2dea08d81086cba9d0ee5578438e3d7a47fa5d181369c22ea206c13e2a23b065dc2889d32c0136f81c0dc009eec9c4a8ba69bedd0a41548f
-
Filesize
4KB
MD5032d5341f1e64fd77fc07a494a4b3f30
SHA1fec1a601a5d3ae1c98d04ae912231dc8ac977e52
SHA2567d1b63b7f777b294a12ed621b81fde0182816e7252657d0369ee9fc2cf811051
SHA5125dbbef35e7332abca1aeb391cf82e84a3a97e77c575d22052df535f99378d712f38d76e8db292f2e8c0f9ed508dda74c0df4486ab27172d6558b99020dff86b7
-
Filesize
12KB
MD56db37e80fd1d38af357cfce03445d400
SHA15fa994f46f6e10c9370dca598da11e473ce4a59c
SHA256f21ad1de66ebb5d0156627ca58a1a1923a8c19ae708e594049930c4d76a927e3
SHA512c0fe5b1d1fbeb7c292521e7df1fd9c364b58a15f23dae18cb63f0ca7187a97426de7db65f59647d4dc886d9c6ea0dc875c218babfd71f04a6304bb70fe0071de
-
Filesize
990B
MD5a0f8d45d6de0e235b1ccf07e0fce6ca6
SHA1df979436fee508e359868ae69cf0df34d310caf3
SHA25696394974d5f88c4e018f3a275fafba6bab133860e1c000d3a748f196dd86fa27
SHA5121392024214ee832d960e581d0ff26e7a25ad78eec2f4ba643f5ccd77e0cacb337b1f49e7f2920e33995d9cd8745ffa133a9cab0c3dfbdd48cc1fd0b0f4b7c826
-
Filesize
964B
MD562a92c90885826cdb7d2a7d13f504a9e
SHA1b56de818e7bda9be511a65b2631476bde8cb1ec3
SHA2560a65766f2e0932115eebccd94398fc3b5c24baca30a58c9b763087332c192281
SHA512bb24c4f2494ada5b460f4f4e7703063d486f17cf1f6bad3c8ff05dfff6fce2f030832b85981f9f5aa2eea5539f7b9cee3b39206137a69ed0732ef5ee95032af2
-
Filesize
388KB
MD5ad967292a0b22c3289b6e7e58f45b439
SHA158777aed823b559adff0090a8595b5ce1d57fe1b
SHA256dd7a328ba2cc59cf699efe1a83f45fb9da3837e7cb49e23312d9396e9536cca0
SHA5128eba04c5fb6634ae7cff71b2757315e15930fdb9b43b1f48f2fba023969aaa28291c0dc4e4a0411367d4376dbaeb29660b2448f9e8c95ceb5eb1a5b18a8f711f