Analysis
-
max time kernel
205s -
max time network
207s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-03-2024 22:34
Static task
static1
General
-
Target
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000100000002a787-20.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 2896 6503.tmp -
Loads dropped DLL 1 IoCs
pid Process 3020 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\6503.tmp rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3932 schtasks.exe 1492 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31096191" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1710315485" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1548 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3020 rundll32.exe 3020 rundll32.exe 3020 rundll32.exe 3020 rundll32.exe 2896 6503.tmp 2896 6503.tmp 2896 6503.tmp 2896 6503.tmp 2896 6503.tmp 2896 6503.tmp 3896 msedge.exe 3896 msedge.exe 1576 msedge.exe 1576 msedge.exe 3604 msedge.exe 3604 msedge.exe 2264 identity_helper.exe 2264 identity_helper.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3020 rundll32.exe Token: SeDebugPrivilege 3020 rundll32.exe Token: SeTcbPrivilege 3020 rundll32.exe Token: SeDebugPrivilege 2896 6503.tmp -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1548 POWERPNT.EXE 1548 POWERPNT.EXE 1548 POWERPNT.EXE 1548 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 3020 3040 [email protected] 78 PID 3040 wrote to memory of 3020 3040 [email protected] 78 PID 3040 wrote to memory of 3020 3040 [email protected] 78 PID 3020 wrote to memory of 4216 3020 rundll32.exe 79 PID 3020 wrote to memory of 4216 3020 rundll32.exe 79 PID 3020 wrote to memory of 4216 3020 rundll32.exe 79 PID 4216 wrote to memory of 2516 4216 cmd.exe 81 PID 4216 wrote to memory of 2516 4216 cmd.exe 81 PID 4216 wrote to memory of 2516 4216 cmd.exe 81 PID 3020 wrote to memory of 2332 3020 rundll32.exe 82 PID 3020 wrote to memory of 2332 3020 rundll32.exe 82 PID 3020 wrote to memory of 2332 3020 rundll32.exe 82 PID 2332 wrote to memory of 3932 2332 cmd.exe 84 PID 2332 wrote to memory of 3932 2332 cmd.exe 84 PID 2332 wrote to memory of 3932 2332 cmd.exe 84 PID 3020 wrote to memory of 4896 3020 rundll32.exe 85 PID 3020 wrote to memory of 4896 3020 rundll32.exe 85 PID 3020 wrote to memory of 4896 3020 rundll32.exe 85 PID 3020 wrote to memory of 2896 3020 rundll32.exe 87 PID 3020 wrote to memory of 2896 3020 rundll32.exe 87 PID 4896 wrote to memory of 1492 4896 cmd.exe 89 PID 4896 wrote to memory of 1492 4896 cmd.exe 89 PID 4896 wrote to memory of 1492 4896 cmd.exe 89 PID 1576 wrote to memory of 1504 1576 msedge.exe 95 PID 1576 wrote to memory of 1504 1576 msedge.exe 95 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96 PID 1576 wrote to memory of 2692 1576 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 417093271 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 417093271 && exit"4⤵
- Creates scheduled task(s)
PID:3932
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:52:003⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:52:004⤵
- Creates scheduled task(s)
PID:1492
-
-
-
C:\Windows\6503.tmp"C:\Windows\6503.tmp" \\.\pipe\{5236FA2A-E77A-4396-92AA-5800172FA900}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
PID:2628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd089a3cb8,0x7ffd089a3cc8,0x7ffd089a3cd82⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:82⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:12⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,1225513841383856076,4374920862828032255,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3972 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3988
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\BlockRead.pot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
5KB
MD55a800084dc1ae4c6d95a7e0d7053c2ab
SHA1176a15fc71ed5883d738ebd2af82d5249d96830a
SHA2560b547631909d7067ad569f72bec8c243be32702bdd86074bd5f0fa5200dce23f
SHA5129cc346a73d330ba0982c32119435b2d0c7baa8be5600bdd37abf6f6c2cc6a7aaa1f932a24b9832937c988840a41848e9fbb62abce3d5a48a2fc1c8e6141249bc
-
Filesize
5KB
MD50555545c4287f4802b2a4c47cdfbca9a
SHA13048f042d7e75dfb32cc147cda706c733455a847
SHA2566047e8a8da5f6d5d441811ac59061d0e53da898ce3c2d8dcf32554ea9df93f69
SHA5123f48482637c72bfbe64d0bbfedc021d39a5df79f899179c887230e5e8e3c7b6836440e2235ae6f4abbde25a19b85ff97e5b94834a29b5c9b0e151a871160c201
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d17b5e06b30a8015e94495e6d283967d
SHA18803e5adda113d5bee2198b05a7471dcd22b28c5
SHA25694875e2225c0c45ba34137b98090d5c33d719a6bde3bd31497a0dd889a4273c2
SHA5127f9b565688d85577580ceb68801294e949b3349b9c4f589957a274226708e115a81d4c308c97e5d9c52c14d6a4da827905b97a8854c66679e2fd84c2b6966230
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113