Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
Resource
win10v2004-20240226-en
General
-
Target
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
-
Size
645KB
-
MD5
79cdf459683c39e9704a37a6be9bc877
-
SHA1
450d4f351c3dd168e313b309da4bd8a817453d1d
-
SHA256
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c
-
SHA512
2cc3f164e92650c4d4aed7012da7d303d24cdc63565ed744a28cb6d59465189233a128a01f4b807aa972057e0d0d98742c5ca9b41a67bf59f0f115de30eb6bd4
-
SSDEEP
12288:Ya8gND5n7gG2WERaCyDVbdlSQLeYBgdAULx9mutZo5B:YgNDBg3JRaCyDVplSUBgrHtZor
Malware Config
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4148-2-0x0000000003790000-0x00000000038A7000-memory.dmp family_avaddon behavioral2/memory/4148-3-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon behavioral2/memory/4148-4-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon behavioral2/memory/4148-8-0x0000000003790000-0x00000000038A7000-memory.dmp family_avaddon behavioral2/memory/4148-107-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon -
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Renames multiple (136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process File opened (read-only) \??\K: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\L: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\V: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\W: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\X: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\F: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\J: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\B: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\E: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\G: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\P: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\A: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\N: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Q: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Y: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Z: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\H: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\M: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\O: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\R: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\S: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\T: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\U: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\I: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3924 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4480 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4972 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 5448 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 1644 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4120 4148 WerFault.exe 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exepid process 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 5892 wmic.exe Token: SeSecurityPrivilege 5892 wmic.exe Token: SeTakeOwnershipPrivilege 5892 wmic.exe Token: SeLoadDriverPrivilege 5892 wmic.exe Token: SeSystemProfilePrivilege 5892 wmic.exe Token: SeSystemtimePrivilege 5892 wmic.exe Token: SeProfSingleProcessPrivilege 5892 wmic.exe Token: SeIncBasePriorityPrivilege 5892 wmic.exe Token: SeCreatePagefilePrivilege 5892 wmic.exe Token: SeBackupPrivilege 5892 wmic.exe Token: SeRestorePrivilege 5892 wmic.exe Token: SeShutdownPrivilege 5892 wmic.exe Token: SeDebugPrivilege 5892 wmic.exe Token: SeSystemEnvironmentPrivilege 5892 wmic.exe Token: SeRemoteShutdownPrivilege 5892 wmic.exe Token: SeUndockPrivilege 5892 wmic.exe Token: SeManageVolumePrivilege 5892 wmic.exe Token: 33 5892 wmic.exe Token: 34 5892 wmic.exe Token: 35 5892 wmic.exe Token: 36 5892 wmic.exe Token: SeIncreaseQuotaPrivilege 1108 wmic.exe Token: SeSecurityPrivilege 1108 wmic.exe Token: SeTakeOwnershipPrivilege 1108 wmic.exe Token: SeLoadDriverPrivilege 1108 wmic.exe Token: SeSystemProfilePrivilege 1108 wmic.exe Token: SeSystemtimePrivilege 1108 wmic.exe Token: SeProfSingleProcessPrivilege 1108 wmic.exe Token: SeIncBasePriorityPrivilege 1108 wmic.exe Token: SeCreatePagefilePrivilege 1108 wmic.exe Token: SeBackupPrivilege 1108 wmic.exe Token: SeRestorePrivilege 1108 wmic.exe Token: SeShutdownPrivilege 1108 wmic.exe Token: SeDebugPrivilege 1108 wmic.exe Token: SeSystemEnvironmentPrivilege 1108 wmic.exe Token: SeRemoteShutdownPrivilege 1108 wmic.exe Token: SeUndockPrivilege 1108 wmic.exe Token: SeManageVolumePrivilege 1108 wmic.exe Token: 33 1108 wmic.exe Token: 34 1108 wmic.exe Token: 35 1108 wmic.exe Token: 36 1108 wmic.exe Token: SeIncreaseQuotaPrivilege 4012 wmic.exe Token: SeSecurityPrivilege 4012 wmic.exe Token: SeTakeOwnershipPrivilege 4012 wmic.exe Token: SeLoadDriverPrivilege 4012 wmic.exe Token: SeSystemProfilePrivilege 4012 wmic.exe Token: SeSystemtimePrivilege 4012 wmic.exe Token: SeProfSingleProcessPrivilege 4012 wmic.exe Token: SeIncBasePriorityPrivilege 4012 wmic.exe Token: SeCreatePagefilePrivilege 4012 wmic.exe Token: SeBackupPrivilege 4012 wmic.exe Token: SeRestorePrivilege 4012 wmic.exe Token: SeShutdownPrivilege 4012 wmic.exe Token: SeDebugPrivilege 4012 wmic.exe Token: SeSystemEnvironmentPrivilege 4012 wmic.exe Token: SeRemoteShutdownPrivilege 4012 wmic.exe Token: SeUndockPrivilege 4012 wmic.exe Token: SeManageVolumePrivilege 4012 wmic.exe Token: 33 4012 wmic.exe Token: 34 4012 wmic.exe Token: 35 4012 wmic.exe Token: 36 4012 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription pid process target process PID 4148 wrote to memory of 5892 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 5892 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 5892 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 1108 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 1108 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 1108 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 4012 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 4012 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 4148 wrote to memory of 4012 4148 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe"C:\Users\Admin\AppData\Local\Temp\48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 8202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 8282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 8602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 9602⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4148 -ip 41481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4148-1-0x0000000003350000-0x0000000003450000-memory.dmpFilesize
1024KB
-
memory/4148-2-0x0000000003790000-0x00000000038A7000-memory.dmpFilesize
1.1MB
-
memory/4148-3-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB
-
memory/4148-4-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB
-
memory/4148-7-0x0000000003350000-0x0000000003450000-memory.dmpFilesize
1024KB
-
memory/4148-8-0x0000000003790000-0x00000000038A7000-memory.dmpFilesize
1.1MB
-
memory/4148-107-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB