Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 11:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
Resource
win10v2004-20240709-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
resource yara_rule behavioral1/memory/3712-136-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-138-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-140-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-137-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-143-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1544-144-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1544-145-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1544-146-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4552-150-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4016-152-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-153-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4180-155-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4552-156-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4016-160-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4180-162-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-179-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-180-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com 114 camo.githubusercontent.com 115 camo.githubusercontent.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660346349762864" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1868 msedge.exe 1868 msedge.exe 3532 msedge.exe 3532 msedge.exe 1740 identity_helper.exe 1740 identity_helper.exe 4152 msedge.exe 4152 msedge.exe 3712 [email protected] 3712 [email protected] 3712 [email protected] 3712 [email protected] 1544 [email protected] 1544 [email protected] 1544 [email protected] 1544 [email protected] 4552 [email protected] 4552 [email protected] 4552 [email protected] 4552 [email protected] 4016 [email protected] 4016 [email protected] 4016 [email protected] 4016 [email protected] 4180 [email protected] 4180 [email protected] 4180 [email protected] 4180 [email protected] 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 1908 chrome.exe 1908 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 1908 chrome.exe 1908 chrome.exe 1908 chrome.exe 1908 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2256 taskmgr.exe Token: SeSystemProfilePrivilege 2256 taskmgr.exe Token: SeCreateGlobalPrivilege 2256 taskmgr.exe Token: 33 2256 taskmgr.exe Token: SeIncBasePriorityPrivilege 2256 taskmgr.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe Token: SeCreatePagefilePrivilege 1908 chrome.exe Token: SeShutdownPrivilege 1908 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 3532 msedge.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe 2256 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 4076 3532 msedge.exe 84 PID 3532 wrote to memory of 4076 3532 msedge.exe 84 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 824 3532 msedge.exe 85 PID 3532 wrote to memory of 1868 3532 msedge.exe 86 PID 3532 wrote to memory of 1868 3532 msedge.exe 86 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87 PID 3532 wrote to memory of 1048 3532 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff904346f8,0x7fff90434708,0x7fff904347182⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4724 /prefetch:82⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:916
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
C:\Users\Admin\Desktop\[email protected]PID:1544
-
C:\Users\Admin\Desktop\[email protected]PID:4552
-
C:\Users\Admin\Desktop\[email protected]PID:4016
-
C:\Users\Admin\Desktop\[email protected]PID:4180
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff80e0cc40,0x7fff80e0cc4c,0x7fff80e0cc582⤵PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1736 /prefetch:22⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:1264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2456 /prefetch:82⤵PID:1168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:3648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:1720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4516 /prefetch:12⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4916 /prefetch:82⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:3692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
649B
MD578f3dd894aeb1530d2a97e2025476668
SHA1aa855aeba1e4c1dd6d4c33c5617b4937374f178a
SHA2568397c08ccff92c027d1b407d8f0d1fd474f0c39947a5a06e168a819f5c528bd7
SHA5126f85af30dc07c98d1787cffba3a196108847e3a60cd73ed60109f3cff5cbd761e47173a64721a4b6af17220f50fe80770e21e4fb272f2afcc10655568ba0b77a
-
Filesize
1KB
MD5e93980c4122c2570bf17a0d1e2c890be
SHA114efc026bd1c58446e9788c98d57aa83d466d639
SHA256fbb4f93711e0764d9da85564803f688cd89f5763d5ace9ea169ef4d9d7f9c5f0
SHA512bead31cbc82774ceab7dda8c8219052588a0143d4a0c05905e9f798405175952eae07d795ce62600a3292860db2086888e00f6cf153d29cd102e59546a2fac52
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD51d072a9db966275110a6ab4e93bc1e8e
SHA17b0cc49cc83429e774bc18d5b15c179a468acb4c
SHA256e5848302d9f5c57add0e87f5a8d398ccbffca7d71df154ed3d8b7d3a470deb26
SHA512164b2ac6fcd261f1f5b671273e7573a4803aae649002a440df0cffb73eee3731415b39973f2abc5b896dc56efbeb41fd8b28a105d001210b61bf0a464c46fdd0
-
Filesize
1KB
MD5bdfa8584bc88b4cc74e522fe3c2846ab
SHA1ab51b216e45ad6c5998a20bac4740d5997f2b648
SHA2561a184fc12737f81de3bf36c18ac724605a4cde30acf781690b409f893eb8db80
SHA51221c05950f71341e133395dc4cbb5aa3bc9cefd2e54dca22b6976ce58713c6de687264a0199c698a648f50032e413e7a5236d97c0a832f8fea72184f43b0c417b
-
Filesize
8KB
MD538c85ea21bf290989abc012517407dd9
SHA16acbf91a6e78b96f20f0dc99009d4ebc902b1cd7
SHA2569d64dacc4c54b0e1340df77988b2cf01e6e98586d3bfc2bd04dc6cd0de73205f
SHA5129c25bb2b34c522171063e8c497b27563cd35456640833671538a3d0db6399a743d5d70e0fd58785f56e60f0498ef2b108e20483873849c81848b7f768cae5016
-
Filesize
8KB
MD55a7eec352961c379e07765e8964338c4
SHA1a0dd1beecd3951b04d3ecd49b5541fdf5c397982
SHA2566f5e0baa06bd019d8daf149c4a17e7d2ec3ba7809f0436efc6f01c72d6d77189
SHA5126b37e5841f08a2154ce8dd23ddd7faf08d619ad3db77d18657bb60a788947f02fa3d5eccfba0fb1393d76322601108b98373af57a55a97cde3b7a5cb8cf085d8
-
Filesize
9KB
MD570abdfdef4ee4ffe9db904afc930f50b
SHA131964586279c7a0c8399ba2ebdc595c31152ce45
SHA256db7bc923e10fdbb24d642e91b60e1e8d160ba0871dac229406a508415af20f4e
SHA512b3a0561e7a8669dfd5661ef52f99e5d89e6ea21ab065a02fa6805504831cfc42619c9267b714da59081ab91b33eb78ca5bf7b731a0cb296fb2eeb3646e093de7
-
Filesize
9KB
MD5dbd27c0b90fa4e98dec670ea00f87e34
SHA1439aa9ca3420a76ddb55fa22ffc747be3673dba8
SHA25607701406c637a10f479139b88abec60dcaf23af188d6d35a228aaf9aae1c2ffa
SHA512c895d76d56fca02aba53f3ccdd4e5b78b3bb509c3a26a0d9808d9eb28768fee319e45713fda2456f779d477d7630d2600480ea976a0914a0e62516ab3de7e1fb
-
Filesize
10KB
MD56883dc81f7876e35e7be9a6b25af53a4
SHA1fbc94714a05e5a33fc2f81702ba6ce30365ed2af
SHA256fdd313f03d764d84a2bdcc60a9bf04db113068c949c8dcacc87a62d54c0c469d
SHA5120365e0f065dfcfa32c4469fc74d15add7300d8d8e8aba6f36d0b5a7edb9e0366f258ee7aa073540dd3016d03afd5d255f10708720dd37ff09a8de872192b5de0
-
Filesize
15KB
MD5abb43758e5ac28dda6ad6d8421570e92
SHA19b47f0a008d0d94e111c83f864739c1147ed4bda
SHA256f4a42650461cd31db49ecfb078975a085f29dd4b20e338bbc5dca418cad6a3f0
SHA51282a913e86cabfe0112ef3e21f1b73d1c40206d9790c3840ebaa0cb47f089fc5086f784e58cbf186a6767087c9ebeeb216ae8f5363ea62759caf49aad43fb3fbb
-
Filesize
185KB
MD5baf30fdd36390395e08110764b8fbbdc
SHA106369c38c1b47364551d111310e1d11076e28539
SHA256a64b40162f91b3d5a550c6a395dc00ba95ddddb62b5811a190953606b8d89689
SHA512856d2088e53666612522c4bb49fc44a8940bff0445596e93140063b10241585a523563221f5e02583381012706eb5a184d6c4c0ce05ae533aabe1f0dc0bf62fc
-
Filesize
185KB
MD572dc1b00cbd8678c7ef6f4562ca80259
SHA16b1a342a7b9c10f8c3d4c97ddab3ad666df2cee7
SHA256105cfe13a8390f50fdbec81c990a9b8487b44fc4202bd3362084cf365c484e30
SHA5125a84d16b20fefefcf1489bda0e1bfc9c1aaf1bb1d93a2f199fd39697c34a7b0b8c56275378ee854c4c7a947c864419783c6f880169164025b0cace7079fd4df8
-
Filesize
152B
MD5bafce9e4c53a0cb85310891b6b21791b
SHA15d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA25671fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c
-
Filesize
152B
MD5a499254d6b5d91f97eb7a86e5f8ca573
SHA103dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
5KB
MD5b99802bb4191f6b47189af3f3c6be246
SHA10ec187ef3ec6582fb1c64499d96c14327cbd4e5f
SHA256b9341e55e1dc1140bc45194a9003ff7869480b1918eeb1a995cfceb923f754db
SHA512b0329ea1a833893a23af1e35fe082a41f6ad1706b259835e4a285b97e78c8f5c7ee6186da342d2b1a4d60da265c20cfb48aeb0fb32deb495caf3200d33fac28a
-
Filesize
6KB
MD50b09b426565ba8b55629190172c064da
SHA1fa747fd4f2c6281849b1c09af533d04cd48fa1e8
SHA2566b49de4270bde53964dbd511ad702cef468b15798b8cf820a44333c1d22caada
SHA512d2727f8375f68d3dc4f28825cb9b4643ed382e8c78e25177a878a444c39dd3e1010d78783b66c216a5dbbf457157b89d40753b18e5a2bf8a836ce197c2ce03d2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53ae48bbc68774b383d41127bc30a06b3
SHA13777df8d86439ef625c86eaa1cc44e31ba309529
SHA256cf7edd55aa5ba4ec4a69b9d9be220d8a485b0a1c9fed6c35e427da29c3d95781
SHA512bd6448c7432c4c77e06d5ceff72bc2ccd894a8182a0f467c85e5876a3f78432074b473c36acbd0866053b9aafb10db2328e1b5f5aa53ed84105806572968e7a0
-
Filesize
916KB
MD5f315e49d46914e3989a160bbcfc5de85
SHA199654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA2565cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e