Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 00:26
Behavioral task
behavioral1
Sample
Towers (Paid).exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Towers (Paid).exe
Resource
win10v2004-20240508-en
General
-
Target
Towers (Paid).exe
-
Size
20.1MB
-
MD5
78f2167ffc65737f93605ed6004e5f38
-
SHA1
d6ec25ee83c8e0e0aa1a97fd7949ad60e24b2e1b
-
SHA256
34d8469a325db034742a082299caef8a82f2e0e18e6988fdaf15efea34f9ef6f
-
SHA512
a1f345b9cd1ff6d2c0897a05d865935c7f0322b1704532c373d2a84982420021d2000679d66e47d364dfdfb8e6a4136093c9e42713886d0906857b3b5b4f45dc
-
SSDEEP
393216:1zEYPh8EL2Vmd6mI/m3pyc/eEJ4mbYV4aR5heV2BUp/Io3c8m0HK:OIyVmdSKyuh4yY/eVAoMQHK
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 7 IoCs
Processes:
towers (paid).exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exetowers (paid).exepid process 3204 towers (paid).exe 2416 icsys.icn.exe 1864 explorer.exe 3944 spoolsv.exe 2676 svchost.exe 3052 spoolsv.exe 3180 towers (paid).exe -
Loads dropped DLL 31 IoCs
Processes:
towers (paid).exepid process 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe 3180 towers (paid).exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exeTowers (Paid).exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Towers (Paid).exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\towers (paid).exe pyinstaller -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Towers (Paid).exeicsys.icn.exepid process 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 4232 Towers (Paid).exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe 2416 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1864 explorer.exe 2676 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
towers (paid).exe wmic.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3180 towers (paid).exe Token: SeIncreaseQuotaPrivilege 2356 wmic.exe Token: SeSecurityPrivilege 2356 wmic.exe Token: SeTakeOwnershipPrivilege 2356 wmic.exe Token: SeLoadDriverPrivilege 2356 wmic.exe Token: SeSystemProfilePrivilege 2356 wmic.exe Token: SeSystemtimePrivilege 2356 wmic.exe Token: SeProfSingleProcessPrivilege 2356 wmic.exe Token: SeIncBasePriorityPrivilege 2356 wmic.exe Token: SeCreatePagefilePrivilege 2356 wmic.exe Token: SeBackupPrivilege 2356 wmic.exe Token: SeRestorePrivilege 2356 wmic.exe Token: SeShutdownPrivilege 2356 wmic.exe Token: SeDebugPrivilege 2356 wmic.exe Token: SeSystemEnvironmentPrivilege 2356 wmic.exe Token: SeRemoteShutdownPrivilege 2356 wmic.exe Token: SeUndockPrivilege 2356 wmic.exe Token: SeManageVolumePrivilege 2356 wmic.exe Token: 33 2356 wmic.exe Token: 34 2356 wmic.exe Token: 35 2356 wmic.exe Token: 36 2356 wmic.exe Token: SeIncreaseQuotaPrivilege 2356 wmic.exe Token: SeSecurityPrivilege 2356 wmic.exe Token: SeTakeOwnershipPrivilege 2356 wmic.exe Token: SeLoadDriverPrivilege 2356 wmic.exe Token: SeSystemProfilePrivilege 2356 wmic.exe Token: SeSystemtimePrivilege 2356 wmic.exe Token: SeProfSingleProcessPrivilege 2356 wmic.exe Token: SeIncBasePriorityPrivilege 2356 wmic.exe Token: SeCreatePagefilePrivilege 2356 wmic.exe Token: SeBackupPrivilege 2356 wmic.exe Token: SeRestorePrivilege 2356 wmic.exe Token: SeShutdownPrivilege 2356 wmic.exe Token: SeDebugPrivilege 2356 wmic.exe Token: SeSystemEnvironmentPrivilege 2356 wmic.exe Token: SeRemoteShutdownPrivilege 2356 wmic.exe Token: SeUndockPrivilege 2356 wmic.exe Token: SeManageVolumePrivilege 2356 wmic.exe Token: 33 2356 wmic.exe Token: 34 2356 wmic.exe Token: 35 2356 wmic.exe Token: 36 2356 wmic.exe Token: SeDebugPrivilege 2124 taskmgr.exe Token: SeSystemProfilePrivilege 2124 taskmgr.exe Token: SeCreateGlobalPrivilege 2124 taskmgr.exe Token: 33 2124 taskmgr.exe Token: SeIncBasePriorityPrivilege 2124 taskmgr.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
taskmgr.exepid process 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
Processes:
taskmgr.exepid process 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Towers (Paid).exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4232 Towers (Paid).exe 4232 Towers (Paid).exe 2416 icsys.icn.exe 2416 icsys.icn.exe 1864 explorer.exe 1864 explorer.exe 3944 spoolsv.exe 3944 spoolsv.exe 2676 svchost.exe 2676 svchost.exe 3052 spoolsv.exe 3052 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Towers (Paid).exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exetowers (paid).exe towers (paid).exe msedge.exedescription pid process target process PID 4232 wrote to memory of 3204 4232 Towers (Paid).exe towers (paid).exe PID 4232 wrote to memory of 3204 4232 Towers (Paid).exe towers (paid).exe PID 4232 wrote to memory of 2416 4232 Towers (Paid).exe icsys.icn.exe PID 4232 wrote to memory of 2416 4232 Towers (Paid).exe icsys.icn.exe PID 4232 wrote to memory of 2416 4232 Towers (Paid).exe icsys.icn.exe PID 2416 wrote to memory of 1864 2416 icsys.icn.exe explorer.exe PID 2416 wrote to memory of 1864 2416 icsys.icn.exe explorer.exe PID 2416 wrote to memory of 1864 2416 icsys.icn.exe explorer.exe PID 1864 wrote to memory of 3944 1864 explorer.exe spoolsv.exe PID 1864 wrote to memory of 3944 1864 explorer.exe spoolsv.exe PID 1864 wrote to memory of 3944 1864 explorer.exe spoolsv.exe PID 3944 wrote to memory of 2676 3944 spoolsv.exe svchost.exe PID 3944 wrote to memory of 2676 3944 spoolsv.exe svchost.exe PID 3944 wrote to memory of 2676 3944 spoolsv.exe svchost.exe PID 2676 wrote to memory of 3052 2676 svchost.exe spoolsv.exe PID 2676 wrote to memory of 3052 2676 svchost.exe spoolsv.exe PID 2676 wrote to memory of 3052 2676 svchost.exe spoolsv.exe PID 3204 wrote to memory of 3180 3204 towers (paid).exe towers (paid).exe PID 3204 wrote to memory of 3180 3204 towers (paid).exe towers (paid).exe PID 3180 wrote to memory of 4484 3180 towers (paid).exe cmd.exe PID 3180 wrote to memory of 4484 3180 towers (paid).exe cmd.exe PID 3180 wrote to memory of 4928 3180 towers (paid).exe cmd.exe PID 3180 wrote to memory of 4928 3180 towers (paid).exe cmd.exe PID 3180 wrote to memory of 2356 3180 towers (paid).exe wmic.exe PID 3180 wrote to memory of 2356 3180 towers (paid).exe wmic.exe PID 3180 wrote to memory of 5036 3180 towers (paid).exe cmd.exe PID 3180 wrote to memory of 5036 3180 towers (paid).exe cmd.exe PID 1940 wrote to memory of 4604 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 4604 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe PID 1940 wrote to memory of 5332 1940 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe"C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\users\admin\appdata\local\temp\towers (paid).exe"c:\users\admin\appdata\local\temp\towers (paid).exe "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\users\admin\appdata\local\temp\towers (paid).exe"c:\users\admin\appdata\local\temp\towers (paid).exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵PID:4928
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:5036
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3052
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault445c50e9hee2ch4633h9df6h11f161a5a6d01⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc3bba46f8,0x7ffc3bba4708,0x7ffc3bba47182⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:22⤵PID:5332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,15889987451400041709,18049542054072408275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:5404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5816
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
Filesize
5KB
MD5a518022663485de76e66bb9dd5917bc5
SHA190285e58fb8f03f4a4a03ba50bdf7334ed674116
SHA25657106f7139521093d5a6e8335d858c77b3f4bc55583698bd92381d1664271f23
SHA512e8dbb60ef4950038b7919ed31c66ad70be66894216fe27344a3d03ea9d1a03fd930aa5c0313f5a3b882e6924fa6cdb00ba11c564d8fa236b95c28da0d96fdff3
-
Filesize
8KB
MD5aa8e358c8654092fac1e8f16f33f5999
SHA12d4db5629c4acfaa6d9baa45b6375a16d51bed2a
SHA2569b05e0d0fd5d5956a4fe5f4a42a0d06eb88ffe71c3d053a8d7ff054c4b2d7e00
SHA512718d834916a8956a23fa8b4147069efaaa54369ac850ce83bb6cd367b3493f2d5a3e5effa55c3a041357014f37e286471f94e9d761480e0561e406b495403f38
-
Filesize
558KB
MD5bf78c15068d6671693dfcdfa5770d705
SHA14418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA5125b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
36KB
MD5fcda37abd3d9e9d8170cd1cd15bf9d3f
SHA1b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2
SHA2560579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6
SHA512de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257
-
Filesize
861KB
MD56d44fd95c62c6415999ebc01af40574b
SHA1a5aee5e107d883d1490257c9702913c12b49b22a
SHA25658bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a
SHA51259b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3
-
Filesize
81KB
MD5a4b636201605067b676cc43784ae5570
SHA1e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA51202096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488
-
Filesize
177KB
MD56f1b90884343f717c5dc14f94ef5acea
SHA1cca1a4dcf7a32bf698e75d58c5f130fb3572e423
SHA2562093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1
SHA512e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73
-
Filesize
119KB
MD587596db63925dbfe4d5f0f36394d7ab0
SHA1ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA25692d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b
-
Filesize
60KB
MD549ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1dcfbee380e7d6c88128a807f381a831b6a752f10
SHA2561be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9
-
Filesize
154KB
MD5b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA14efe3f21be36095673d949cceac928e11522b29c
SHA25680a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c
-
Filesize
29KB
MD523f4becf6a1df36aee468bb0949ac2bc
SHA1a0e027d79a281981f97343f2d0e7322b9fe9b441
SHA25609c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66
SHA5123ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b
-
Filesize
75KB
MD5e137df498c120d6ac64ea1281bcab600
SHA1b515e09868e9023d43991a05c113b2b662183cfe
SHA2568046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90
-
Filesize
155KB
MD535f66ad429cd636bcad858238c596828
SHA1ad4534a266f77a9cdce7b97818531ce20364cb65
SHA25658b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA5121cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad
-
Filesize
1.0MB
MD57dcd85d0a47b83595a7a3e619d6ced9c
SHA1d5aa0d0df85ff5e6e1aecb9bcfa6912c87912f4b
SHA2563102319bc708e22941ba9c55ce38c3a2c26de0138fd63aa64b06c7f0b0120515
SHA512e9a8f8483feb4a987f92a6e10a5c256fa8800a44ccd78b93ed7295c130566ba0356c2be139aac3c5ef7861d6378848454700882760b655153b8b81d90b9fb22c
-
Filesize
3.8MB
MD5c13cd7eaa142967f046b9d946c13f440
SHA1c93f916166e336a22c2468ad7d4bdfad3587eb30
SHA256ef97e76d44a88f7c6b3fff9bee09ef265e709694d3662730edf38670442f69e7
SHA51282222fb79ae6a3a1f774aed6bcb08f28ec01d6f0461318b94b7b9288ec1d87d40bd2f09f9b168c88471710db9993def9a9456b9dcbf46ada5a71b7c53613754b
-
Filesize
3.3MB
MD5ab01c808bed8164133e5279595437d3d
SHA10f512756a8db22576ec2e20cf0cafec7786fb12b
SHA2569c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA5124043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
682KB
MD5de72697933d7673279fb85fd48d1a4dd
SHA1085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA5120fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c
-
Filesize
193KB
MD56bc89ebc4014a8db39e468f54aaafa5e
SHA168d04e760365f18b20f50a78c60ccfde52f7fcd8
SHA256dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43
SHA512b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626
-
Filesize
63KB
MD507bd9f1e651ad2409fd0b7d706be6071
SHA1dfeb2221527474a681d6d8b16a5c378847c59d33
SHA2565d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
674KB
MD5e3b435bc314f27638f5a729e3f3bb257
SHA1fd400fc8951ea9812864455aef4b91b42ba4e145
SHA256568982769735d04d7cc4bdd5c7b2b85ec0880230b36267ce14114639307b7bca
SHA512c94baffbec5cadf98e97e84ba2561269ee6ad60a47cc8661f7c544a5179f9e260fbec1c41548379587b3807670b0face9e640e1d6bca621e78ef93e0bb43efcc
-
Filesize
134KB
MD5a44f3026baf0b288d7538c7277ddaf41
SHA1c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3
SHA2562984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d
SHA5129699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98
-
Filesize
28KB
MD5adc412384b7e1254d11e62e451def8e9
SHA104e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA25668b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07
-
Filesize
1011KB
MD5bb0e3819e308a153c99fa6bccf2f4e77
SHA1d96dc06cb9f441869c5088aaee4e55a81fa14387
SHA25683e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587
SHA5127eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed
-
Filesize
1.1MB
MD5102bbbb1f33ce7c007aac08fe0a1a97e
SHA19a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA2562cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32
-
Filesize
136KB
MD5931c91f4f25841115e284b08954c2ad9
SHA1973ea53c89fee686930396eb58d9ff5464b4c892
SHA2567ab0d714e44093649551623b93cc2aea4b30915adcb114bc1b75c548c3135b59
SHA5124a048a7a0949d853ac7568eb4ad4bba8d7165ec4191ce8bc67b0954080364278908001dbce0f4d39a84a1c2295f12d22a7311893f6b2e985c3ad96bd421aa3b8
-
Filesize
20.0MB
MD54e2a9aa7d93e6cda6f3831f10c9ece80
SHA1da1496dad066f80f571ff0994607830c5a70986d
SHA256eb0977c478c7afe1086e14cf514706594d2501dcfcb1239cf0f5ff97ea589409
SHA512ca1bc5266b067f4f49b30f84eceb1a0902c8605641ba4bfc6ffb31bbe23e29321e4892bd02129166a335cbdaea6d3d2c7f6daadce733c5f6294a68f658568eed
-
Filesize
135KB
MD50c2c89c5d3f4492156a3ebc029ad89a1
SHA1a70ce9b379f428edb1e77a835b7c9f0207ccc413
SHA25602cbf5fc873fbe1b248bc3fd20d6e991ca2ac498fc7f67a04f91fbb1b764dcb8
SHA5126cd243e756f5b36a3c1f093f768f5a2a09c2e1c314e6c402d4b1802ba18576e6f9e566112f886b60608482c9d219464c3025e6190ec4daabd416c678f8ffa712
-
Filesize
135KB
MD5e63a011650ec624ee8e1ee2194b321e9
SHA1616d14ed379a3141fa0fa74d3e5ac6861d191e2f
SHA2566d10f4f1764022997a23b74dd149815f9afa3f884beca1d09636275d57022999
SHA512ee4c4acee45595a250d5c6aa98ea1717f8e233baaa6fe253493878b47c3a6dc18332ddef8e55ac0e7676d1d446bbaebd681c62cd7c37443ee5f286446e5aa416
-
Filesize
135KB
MD5a126026355c629e3644e8724e7681064
SHA1ff3f025b0b46bc64952b61bdfcc929464a1cc830
SHA2562e23760629d8d974f35605aa2f31aff52ee713af142e9bed42bc4ce6d751caf4
SHA51267c2ceb2484a7281dfb4b886dd1f504f96576187a61705ef5335a982ca295dea635fc78342be6191143925eae3f0694bf64319e984e75081d79467a5084d65a6
-
Filesize
135KB
MD523184003b8e555a3408a4fd86869c354
SHA13021303cb4d9e823e9b5a68d0d8c4e30c00e939e
SHA256f7b03bfc3cecdbfc011df79bb10b3df824f91fe95a2112cf16fdfdb15be331db
SHA51201c147631e4bef5b98e4b79e64840cffdb6e15f084cf21fdbc18e11e5e445bf84ac8baa4c8d76758887e96a617f52291ce9635c82a38f90aa8f3dadfd05ef8b0