Analysis
-
max time kernel
257s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 15:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip
Resource
win10v2004-20240226-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000400000001e59f-339.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 4852 E66A.tmp -
Loads dropped DLL 15 IoCs
pid Process 5340 rundll32.exe 3840 rundll32.exe 5728 rundll32.exe 3988 rundll32.exe 3464 rundll32.exe 4888 rundll32.exe 4688 rundll32.exe 5032 rundll32.exe 3280 rundll32.exe 5352 rundll32.exe 4632 rundll32.exe 4088 rundll32.exe 3044 rundll32.exe 2288 rundll32.exe 544 rundll32.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 89 raw.githubusercontent.com 90 raw.githubusercontent.com 93 raw.githubusercontent.com 116 camo.githubusercontent.com 117 camo.githubusercontent.com -
Drops file in Windows directory 35 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\E66A.tmp rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\cscc.dat rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2304 schtasks.exe 5280 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 27 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588769365592461" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009ce14a63479ada01 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2bbef64-0000-0000-0000-d01200000000} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2bbef64-0000-0000-0000-d01200000000}\MaxCapacity = "14116" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2bbef64-0000-0000-0000-d01200000000}\NukeOnDelete = "0" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{8A7F60CF-6910-4E55-9593-0D572A76F2D5} msedge.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 4748 msedge.exe 4748 msedge.exe 5076 chrome.exe 5076 chrome.exe 5192 msedge.exe 5192 msedge.exe 5340 rundll32.exe 5340 rundll32.exe 5340 rundll32.exe 5340 rundll32.exe 4852 E66A.tmp 4852 E66A.tmp 4852 E66A.tmp 4852 E66A.tmp 4852 E66A.tmp 4852 E66A.tmp 4852 E66A.tmp 3840 rundll32.exe 3840 rundll32.exe 5728 rundll32.exe 5728 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3464 rundll32.exe 3464 rundll32.exe 4888 rundll32.exe 4888 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 5032 rundll32.exe 5032 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 5352 rundll32.exe 5352 rundll32.exe 4632 rundll32.exe 4632 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 3044 rundll32.exe 3044 rundll32.exe 2288 rundll32.exe 2288 rundll32.exe 544 rundll32.exe 544 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5076 chrome.exe Token: SeCreatePagefilePrivilege 5076 chrome.exe Token: SeShutdownPrivilege 5340 rundll32.exe Token: SeDebugPrivilege 5340 rundll32.exe Token: SeTcbPrivilege 5340 rundll32.exe Token: SeDebugPrivilege 4852 E66A.tmp Token: SeShutdownPrivilege 3840 rundll32.exe Token: SeDebugPrivilege 3840 rundll32.exe Token: SeTcbPrivilege 3840 rundll32.exe Token: SeShutdownPrivilege 5728 rundll32.exe Token: SeDebugPrivilege 5728 rundll32.exe Token: SeTcbPrivilege 5728 rundll32.exe Token: SeShutdownPrivilege 3988 rundll32.exe Token: SeDebugPrivilege 3988 rundll32.exe Token: SeTcbPrivilege 3988 rundll32.exe Token: SeShutdownPrivilege 3464 rundll32.exe Token: SeDebugPrivilege 3464 rundll32.exe Token: SeTcbPrivilege 3464 rundll32.exe Token: SeShutdownPrivilege 4888 rundll32.exe Token: SeDebugPrivilege 4888 rundll32.exe Token: SeTcbPrivilege 4888 rundll32.exe Token: SeShutdownPrivilege 4688 rundll32.exe Token: SeDebugPrivilege 4688 rundll32.exe Token: SeTcbPrivilege 4688 rundll32.exe Token: SeShutdownPrivilege 5032 rundll32.exe Token: SeDebugPrivilege 5032 rundll32.exe Token: SeTcbPrivilege 5032 rundll32.exe Token: SeShutdownPrivilege 3280 rundll32.exe Token: SeDebugPrivilege 3280 rundll32.exe Token: SeTcbPrivilege 3280 rundll32.exe Token: SeShutdownPrivilege 5352 rundll32.exe Token: SeDebugPrivilege 5352 rundll32.exe Token: SeTcbPrivilege 5352 rundll32.exe Token: SeShutdownPrivilege 4632 rundll32.exe Token: SeDebugPrivilege 4632 rundll32.exe Token: SeTcbPrivilege 4632 rundll32.exe Token: SeShutdownPrivilege 4088 rundll32.exe Token: SeDebugPrivilege 4088 rundll32.exe Token: SeTcbPrivilege 4088 rundll32.exe Token: SeShutdownPrivilege 3044 rundll32.exe Token: SeDebugPrivilege 3044 rundll32.exe Token: SeTcbPrivilege 3044 rundll32.exe Token: SeShutdownPrivilege 2288 rundll32.exe Token: SeDebugPrivilege 2288 rundll32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe 5076 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3568 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4348 4748 msedge.exe 116 PID 4748 wrote to memory of 4348 4748 msedge.exe 116 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 4352 4748 msedge.exe 117 PID 4748 wrote to memory of 2008 4748 msedge.exe 118 PID 4748 wrote to memory of 2008 4748 msedge.exe 118 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119 PID 4748 wrote to memory of 2960 4748 msedge.exe 119
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip1⤵PID:4244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4004 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵PID:112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5132 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵PID:2604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4816 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5840 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵PID:3096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5832 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5928 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6332 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6292 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵PID:1332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6612 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6072 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7136 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=7120 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5880 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5884 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffa00e22e98,0x7ffa00e22ea4,0x7ffa00e22eb02⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:22⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2732 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:32⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4672 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1636 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3552 --field-trial-handle=2236,i,15263478414305104745,9350457475046144260,262144 --variations-seed-version /prefetch:82⤵PID:4392
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1132
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa05d29758,0x7ffa05d29768,0x7ffa05d297782⤵PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:22⤵PID:2184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:3292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3264 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:12⤵PID:4332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3284 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:12⤵PID:2720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:12⤵PID:5520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:5576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:5648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:5732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:5776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5524 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:5792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:6036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1876,i,4536536466489662553,12269242620450570716,131072 /prefetch:82⤵PID:6120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
PID:880 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d29758,0x7ffa05d29768,0x7ffa05d297782⤵PID:1596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1972,i,16116204072048448401,15769824633996202943,131072 /prefetch:22⤵PID:5316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1972,i,16116204072048448401,15769824633996202943,131072 /prefetch:82⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:5192
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:5536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d29758,0x7ffa05d29768,0x7ffa05d297782⤵PID:5568
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:5944
-
C:\Users\Admin\Desktop\[email protected]PID:5368
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5340 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:5580
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:5784
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 590078504 && exit"3⤵PID:5816
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 590078504 && exit"4⤵
- Creates scheduled task(s)
PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:27:003⤵PID:5848
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:27:004⤵
- Creates scheduled task(s)
PID:5280
-
-
-
C:\Windows\E66A.tmp"C:\Windows\E66A.tmp" \\.\pipe\{6F073D69-7D2B-4ACE-98ED-A14025CAE07A}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:5952
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon4⤵PID:3852
-
-
-
-
C:\Users\Admin\Desktop\[email protected]PID:5764
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Users\Admin\Desktop\[email protected]PID:2344
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728
-
-
C:\Users\Admin\Desktop\[email protected]PID:5516
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Users\Admin\Desktop\[email protected]PID:4020
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Users\Admin\Desktop\[email protected]PID:5484
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Users\Admin\Desktop\[email protected]PID:3476
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Users\Admin\Desktop\[email protected]PID:3048
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Users\Admin\Desktop\[email protected]PID:3788
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Users\Admin\Desktop\[email protected]PID:2408
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5352
-
-
C:\Users\Admin\Desktop\[email protected]PID:4652
-
C:\Users\Admin\Desktop\[email protected]PID:6104
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Users\Admin\Desktop\[email protected]PID:5136
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Users\Admin\Desktop\[email protected]PID:5220
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Users\Admin\Desktop\[email protected]PID:5044
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Users\Admin\Desktop\[email protected]PID:5492
-
C:\Users\Admin\Desktop\[email protected]PID:4448
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:544
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3962855 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3808065738-1666277613-1125846146-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
Filesize147KB
MD5e0d0be34426672025e96ec033c39a670
SHA10e935e2079f0158eab0900193321f5a79bced0bd
SHA2563d69aa3a7db20529f550df9ada19c54a6be8a67f36e5a506d2874d91c28b7e81
SHA5127253a7723f7c923eb21ecc4764874df14f30e8d7b42bd395c3cc65fa97a7d6fad32eb4ca3ef6b675588ab3649bef3b1f03f1457c8e8a62030a024380c6f6fa08
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\46710b02-5d30-4df2-8d26-88e97ea5007c.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5dec8410f1b94116a8475e4bb130fa9ba
SHA1470d94dc82bc53d687274b2f2a478386546910b5
SHA2567f3cf9a7856a5ca592815f838d993b36dfb2e1d978d87df69e1c90831060fdf9
SHA51238f8f631ce59de2acba21dca251b3595d9b800fa84cee7f59612d6a2a43f3eb0a54df6d2bdfd155b5f67af2943882ee5cc3be2d86fdb62215286a3caaf971f5e
-
Filesize
369B
MD576ba5ea3b614e9eec5998437a3907fc2
SHA199738ec52c3a04f3bc968039da019fd9e1d6a719
SHA25658fa6119772027698a8500311e4fe04b9761ae9f148dffb92b6cb87b73655423
SHA5122a7d80e39dfe830c75c6cabd7f7f1b2d644b81b5d66950907b709d50739178248704b29bfbe401cd5d9bae686015bf2a5b1b59c0a323bb0145155b7e4de1494c
-
Filesize
5KB
MD50767b134f896d3fd3e5f86e573483e26
SHA11b74cfb987bdc99511207800df5dc009de1d1e47
SHA25620055a30ca1413357b6361a8ba243c159391d4b75ac7cc2d6ff3000415172835
SHA51219653cb80907edc2a5c3abd9f417469036da0f99c383f6bb8368cbaa9e4827303c74dbb42320d296c5ef56c447f7c458aba7c1aa41b66ee2aaef0a1d69da1f82
-
Filesize
5KB
MD536c506c28fbf033706d16b578006e543
SHA1e599fe901ed9bb35eb8cee7af9689ef21799d949
SHA2567b2fbff0f5aed0e100a192413fc7ffc53eb6fde10d07eb129447a94cb2f9b838
SHA512383de57c3f5aee6433f982106bc2961b2835b4bba7fd44dc5d96bf9b0662710ffe48c4dbc500d6dd7265129529230c31a675fa0f869c327b48ee48e91ad85763
-
Filesize
265KB
MD57f00d59addae9209e2e0e5a4184617f6
SHA15c448248ec36e67b5c2bc663d36fdae51b24b599
SHA256c7397ecb88c399140361551077a619ecdddf6a5e11d62b0f9d4d84a324a34fb4
SHA512bab789c693873f36a7d48ea1234e85aedcc122e98e6eb967c8af29f467e97c550c31a07217f62b071d988336d3a75e2ab9ba3e7458796ec5a9c3e2b36db716d1
-
Filesize
128KB
MD57e3489b27febf06c1d89a217d615828d
SHA194a1c2378d247ed7f9d550d1bcf335b76dfec851
SHA256d707a6335dd0721fcb062348849a48988e3b1dba9973f821a8d14b19b7bf0b8b
SHA51222e8a7273f978ecddfcaecf7c1201e17f4f3acf127f663bf98d10a677f94bc9045e55784eef5eb3da8389bf325427c7a4900281ae46374e77902c4070bb46f9c
-
Filesize
265KB
MD573a23a40c990a1be7025981564e28e17
SHA1e08af2dd1202dd578eaea84bcdc8cd2eb5646d60
SHA2563a30929688a61b9a1539d4f7d1f895d0c32437dc0b884b28b4289a19c83dc9de
SHA512f21f25861f23749b7621851f31341e24e781e256bb72e7632cc43fad14d280798fa1d2fe0bd5e84ee6f01919dfb5b4ce62d7c0d109693ea3e408e227b72ee702
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
280B
MD51d129d441769c8d47122fd6ea05e20dc
SHA12b19c9bee6231858beacd2d83e805ba671143e68
SHA2560d607f661e4342dcf1ab5be1528d5df2f5e820a8a5df232e120d4cf40822a26a
SHA5121e5701300fbf0eb0d6a792cd56b89d90c3b5942d059ffb43407501a8fcab443daeee9973b3d5aaa2ce67e512d33d66e9cfc74babdc8a3c5c65079133f96aac64
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD5d4d0b6c4ca9605c521316920c10bb4a0
SHA1d477a30ca5cd0ac00ae6ab44d58a4e2aeff41904
SHA256c2ae49eeeedc26b843ee8699bb5dff2ce8c0a5ece9f29610f53bc37096cbaf2e
SHA512a72775d125723f0dad69ac0ecc21b862aa6f828b3a4b541000ad452888751a0b0da0f50b6413ad80b6efd3fe974e99754d92ff658261347216a971aeecd3f5ac
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
12KB
MD59ca78ddb183eb895fe2b3ef10bc7b917
SHA1c7647460b87b5ef7a2f94f70345f96d378c5691b
SHA256a3f686b3762fdbf1dfe624294b385908a3f3b824f8de057d80c3fe40199ea4ed
SHA512d79449652ee2bfc1097340c04585ac9048809c717447fce189f610d059124816c8b99f2447c330bf5ccb3fec3e327157e528039830ad3e34cd0abc28d5bbb144
-
Filesize
30KB
MD5ec22c6a9fe2bceaee5fafab5cf311767
SHA1201646f9e60f920613c6140e1a5310c5c59daaa2
SHA2564c97991d017a4c58ff72d5f4598db1f3bed47d77c9ea2b7dd206e640ea36648b
SHA51229418f145cf0438a116e4495cacf7818f9e91185cc6f9f6b45108d18fbc942f638ab99f31dc47c5c47c4a43a81afcc3147b16dfb5f60bb99afdce43c780975b2
-
Filesize
77KB
MD590a2ebd7bc6b10c9634e6195e335d840
SHA1640cc8623efd6ee6c7089b681541cb38d824aa6e
SHA2567840941097bbeba0fe86199059fbbcf222448cf331947e506b2b4d9102bda5b2
SHA512f1451fd56ffa431cad3c7e948af5936bec15814c0053dd40560cd978b6109828a715f6ff545ed728216fda5cd73f377fc4b9e60b67fbcaa9e53db41c251bdd40
-
Filesize
66KB
MD5beee5400c43dd52666aa95b315ddf847
SHA182354d3b9bfda00f4661306c296650682b79ae05
SHA2560833ff25d02d7d79980e69c6e5348135cdf566d6a6b9aeb3507c2180ef4afd87
SHA5129fac433e89706a40d0099de5bd7a54988553fb25b9acb6296aa4cb5f34c039b1dc6acfbd3cf3bf5cc6efc350c31fa3c0933337ce90d4e8fd3047849836d25d3f
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e
-
Filesize
401KB
MD52b2479fe80dde99dd497a1ca41d5aa23
SHA119116ce6ff6d859a91d5a9c7828b6b793c431479
SHA256a96e54ac864ab635e4b05b29404555c56ec5bcd50183384de3a724c4c80334dd
SHA512d6ad7e7216073181d36002c704a1ffbe9823ebf8fac85a21f8d98fe21d6d28f0de338fbf7d7e7f857056c04a14729b8406db77a47b3dbd26bc873dd2ff9f4b37
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113