Resubmissions
30/07/2024, 21:22
240730-z732astepd 1030/07/2024, 21:18
240730-z5vl5szalj 1030/07/2024, 21:06
240730-zx8h2atala 10Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
30/07/2024, 21:18
Behavioral task
behavioral1
Sample
Injectorka.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Injectorka.exe
Resource
win10v2004-20240730-en
General
-
Target
Injectorka.exe
-
Size
93KB
-
MD5
c40c09bf0ce0defbe50f123e8d6a6174
-
SHA1
d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
-
SHA256
272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
-
SHA512
8f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4
-
SSDEEP
768:RY3PI530YTXspgM0m2zGjpyDtdXWuDtXYLWhyXxrjEtCdnl2pi1Rz4Rk3zsGdpD3:8IZ0AA0mT1mrWnL5jEwzGi1dD/DDgS
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3540 netsh.exe 1224 netsh.exe 5064 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation Injectorka.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2644 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 8 2.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injectorka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 server.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe Token: 33 2416 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2416 AUDIODG.EXE Token: 33 2644 server.exe Token: SeIncBasePriorityPrivilege 2644 server.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 2644 server.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2644 1932 Injectorka.exe 84 PID 1932 wrote to memory of 2644 1932 Injectorka.exe 84 PID 1932 wrote to memory of 2644 1932 Injectorka.exe 84 PID 2644 wrote to memory of 3540 2644 server.exe 86 PID 2644 wrote to memory of 3540 2644 server.exe 86 PID 2644 wrote to memory of 3540 2644 server.exe 86 PID 2644 wrote to memory of 1224 2644 server.exe 88 PID 2644 wrote to memory of 1224 2644 server.exe 88 PID 2644 wrote to memory of 1224 2644 server.exe 88 PID 2644 wrote to memory of 5064 2644 server.exe 89 PID 2644 wrote to memory of 5064 2644 server.exe 89 PID 2644 wrote to memory of 5064 2644 server.exe 89 PID 2644 wrote to memory of 5016 2644 server.exe 94 PID 2644 wrote to memory of 5016 2644 server.exe 94 PID 5016 wrote to memory of 1560 5016 msedge.exe 95 PID 5016 wrote to memory of 1560 5016 msedge.exe 95 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4244 5016 msedge.exe 96 PID 5016 wrote to memory of 4220 5016 msedge.exe 97 PID 5016 wrote to memory of 4220 5016 msedge.exe 97 PID 5016 wrote to memory of 2136 5016 msedge.exe 98 PID 5016 wrote to memory of 2136 5016 msedge.exe 98 PID 5016 wrote to memory of 2136 5016 msedge.exe 98 PID 5016 wrote to memory of 2136 5016 msedge.exe 98 PID 5016 wrote to memory of 2136 5016 msedge.exe 98 PID 5016 wrote to memory of 2136 5016 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UIFyFyJqHtM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde1bd46f8,0x7ffde1bd4708,0x7ffde1bd47184⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:24⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:34⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:84⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:14⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:14⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4872 /prefetch:84⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:14⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:14⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:84⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:84⤵PID:3720
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4892
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1388
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x42c 0x3001⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4576
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD581e22c2898ac78c14a840076a8446b9d
SHA1ff5b7cca3ff2c4e77e6330e2c5e2b62bb56e9fe6
SHA256a5e570fc8d3a52027db48adf1301fe8dffc500a4bef04d0d6bff15fff78ade8d
SHA51219381615be8f53ccae56a21c29c314c3247ac78fd3cf838f52ca98757b54f945f0d178cfb44ea5ad42fc68b3d3e6e7ce4e4f40eb69f791fa5132f591c62388e6
-
Filesize
152B
MD58d8ccfa6a8b1b15db876b848b8fdc102
SHA1dc7d92c35e9c84d8d78ac0aedc926214cee68135
SHA256b48f98046030e23b843422251481c3f19cfa0cf71fb36a8ff89dfcb152761f86
SHA5126ae61b6cf236082b9930686ad2650c3ce3fa337550363e0858062dbb399093b0ac6bbca3d4c40101e222ce764fa4fb704bfc591e6d5b0a6c165f170cd6c9d5b8
-
Filesize
228KB
MD5f3b372b33647e99452cfe59525a6b19b
SHA12529e0eb09e221dadef7b407882341dd987f5c5d
SHA2561bd45c070a76f8d10d0908fb5b4d74df57c98699124dc95502183626064eba8c
SHA5125516a59719b4f044bf2d78a8e07783316216bf60e827b7da102e8f6b0c71ce58ab49ae45dc6d36ea156b728f3cf2a0c7b80f9dcd93b4325b8833350836b8ce7a
-
Filesize
32KB
MD5124edd00544919be214b12cd867575f9
SHA11cd89f070fb7f27082951746082b34b7a109c383
SHA2563bbfc48f6134b705cedaf7782fb1855a0a58fb1442bf6cc3867c2ef2e0359ec6
SHA512d5109f9d5f05f5bf7321313ba34fec2d046b4a8f618ded4db3fb4549905992fdd74c8d19f1f8aa516c99f49714a58a9de983903e1b1b48f5bf12f585f34c9b63
-
Filesize
32KB
MD538cc0e5978d24a8b6874aff769786eef
SHA1145261c75b77c0f20b59a0fd242f24a530798fc3
SHA25646be812f587d3cc96cac9aef9b289ac0403384d7786aed7ac6c268800b78257c
SHA512edbf1443567da91636d4922a0733de127f5420fe1a41d2d5e44d8dba277d1089c42fa0f09cac380c0018571f72ca1623d037666e6acd99bd326da21e7eb0445d
-
Filesize
34KB
MD5367d6749aabc56bcfd8fe6f68e8ec07f
SHA194603bfd837a6cc48b0b413d97e6c21294139f01
SHA256aba7125a597cbea4846b275de47b9e35fb42202d217c321ad861b09d3b831b5b
SHA512737b43474c49d945fcc767a082ae79734333de55374c35825993539376577af76175a966e633b8224b4ede6a42738f3298e5c42d7a307f37897857c7c65842c7
-
Filesize
20KB
MD533e7b771784e040e4f33cbf8aa5b14d2
SHA1f7faf47d90c7766a635db93b046ea9ce5684bac1
SHA256a8908c59168c0072e5ad9d5a5faca96f2d00a3735d4e263d937451f0d059e481
SHA512973b23eda93d2502769585c40c5e7d4448aefa53e88db1259a30d3de127932cbdaee3c8960d4bfefb00c78d0634ad374318ab479d63dcc45fbb31de9f8c4063e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5b63f6e868a85e19458c5cef42d5fc9c0
SHA113a7faec8f6142444776991e12c19f494746e7a9
SHA2564d3535024d299b7369c90e46bd2ea61dc22802cbf11098a724a21d85b96ae812
SHA512a06e7ec57f89ef637b62455e977bfd9eb3d9554c6a1c3a36ac39881b9e253ef40d4cf389517c9a6e233f7c49ae0b37d783bee3fd0a0dc8f530373a646da89390
-
Filesize
5KB
MD510f6522403d43ba2cdfb9a2e0a7aa4d9
SHA11c99d803a7a087504f0cd816f2ccea23b9326ac4
SHA25609bd4dfe25c9e57cc7c4885af388e3d849a9e30acba3c5955b7db1006b2276ce
SHA5125712e541169d38ee9b0da4ad3c19e56c5d317baa5db0e669e177727b60f9efb52d032503347e99bedc731810b74b5b456038b5a4d0baa9ec7341cb94575580a2
-
Filesize
6KB
MD5b9b41a991f803b58f0fbf350e5eabd6b
SHA1f47813ca955f8e7120c68323e0b337e75dd832ac
SHA2564306d050ca8e3e8e4d9d75fd1b88918bd391e1e0f351b391d4258f3a6a13a094
SHA512f684d48da7e1e0eb94fbc5967917b8a8f8bceb2264271a090c690abd6839c1b5f707e2cc579d6b0f88a4d2a9e57467d859caa113e974dbf199ac84c67acbede5
-
Filesize
8KB
MD5c79effaf0eeb34b5153ccb2beb7c2805
SHA1bfce41cb143c309a6715c474ab6c802d172ceabf
SHA256073a99215d40c5cc21f2021135299b48cbc3a94a3495a5e57ec378d887af4dbe
SHA512f46d81ee0f775bf7e5c41a4d474e828f00e71334884c285379a047367edb3e6e9aeac266e1fc0902ac8654c3eb3461011ede2639a43256de0082311c3e592e6c
-
Filesize
7KB
MD529c50e4996349e885aa8844b70947d6a
SHA173314556fa8e024ff4071e03ce620ddde9113826
SHA2569d5972be87ebb24bdde3843dcdd9c508b187b5e3e702002a2fcd63e50cc819f8
SHA5126bd7e9bb8ab9e2f8450dfa5d3992af5759cbdbbd35468caf7e8f5f1d67efc98109e5f6a30b9dc9152dec05a93b617658e96ec935cb243b4d792554b9eb2606a9
-
Filesize
6KB
MD5a968ef63dcae9fa8e8f8f5fcb5f7f920
SHA128176fa4cd6b656444d1a7e9eacd1be267b0ff44
SHA256fac91e15b940ef44a43f5dbfb0389ac19c93923d022ae0c11be7a4aeeb713add
SHA512bc9b1ecfffaa8c7fb3b21bd988bf450f55fd19578eff06abd2e5b1cc890c5e931dedc5793527ad0836a96bbeaadb01791b001c2c14c8f7491bfcfe66a9bc9d40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\25e17d27-898d-46d7-9e34-efeb9bb83834\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ceeaa2a0-c106-41a2-8bd8-e704f1c221f3\index-dir\the-real-index
Filesize2KB
MD5b21b0101f029c4c14013fb9ec29ebd9b
SHA139042d72533cf22ffb24412107a0a16b8acaebe6
SHA256414862c38436289210dd90d9c6310d82aba76d55c1b4826f3a429401c570191e
SHA5124ae571efea7bc9bfc0c87c65620a861beed081ecca68fe4cbe8bf2f4c4d5d25a8e8386ac88333e6c23f4611f0a72a4017a80cbf49079d40b5b2e165a71766f10
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ceeaa2a0-c106-41a2-8bd8-e704f1c221f3\index-dir\the-real-index~RFe59dd66.TMP
Filesize48B
MD5ef8291de7c86d337087fc31c7cd9e8b1
SHA10eb29bd9d9dc3f56c802faf86e55ddb9baf4ab3a
SHA2569d472374d0ff25c444189e63b27d3d2d6307c9560f0e62195d584bb52eaede08
SHA512c6ad040b5ef745961aef411a5c0cea838f07cb24c2a352227c47d3a322143ac9e5181c48cd2e9b32b393173c62ab30968d06f18b3ee31afef46db7a2a9ed1dc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d0836055-9a4f-4ccb-996a-c51d072780c7\index-dir\the-real-index
Filesize624B
MD522ef53a1c52d8ad0a219e367e177a399
SHA12057c4cdb8af2d27b66340999f21d986e2c97fb7
SHA256c4f5d44b13f07e79b9aa201eb2bb2c14aab24743684c250578a5b99f7fbbf7bb
SHA5121531385696d7ed2894da58dcaf2eb21979a2556a7587a99699737436682e39394d5f499c535f37cc725466c2ecc39d9fe1d6225fb3e3c1da685855208d9a4759
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d0836055-9a4f-4ccb-996a-c51d072780c7\index-dir\the-real-index~RFe5a131c.TMP
Filesize48B
MD50274a1fab07fdaf5f6aa23c7adbc5016
SHA14d31f066547a849d2871e07e782f85806fed4902
SHA25647cd77bd7e8b23ef6a042fcb2e314e3761409d652353ee8159d351763185ba11
SHA5120c6d279f2251e885b8f16269df254ec58c0b050e3060814271862f0c68e1cf031f9ebbe6056f10322c6fc13373d5979813435ed92e94d85a57baa0dacbb9bea0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5c61a95f8ef949b7b8e4b2c49f6a36724
SHA15f296b28e2eaab9ae1b8947aac493eddf0421789
SHA25680a18fc00290aaa8b31e80b1385d989c66241b4219f3acbb04c2d7c33c71673c
SHA512f719d3204da98578c6e55566af24e7cd1de6e303df1dad915be40cb0f5523109a50b78ead20e396e069321c704c4d0b54e7a99e6446ce1f0903122cbb3125265
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5b797fbcb2f3c50a2eadc1cf0a6fb3553
SHA1b2252f3d27f95d94e8381e39735b8dad8d0c32a6
SHA2560a9923a21b2611f5e995376e16074c12bdb8282c1d19b1e26d719ca49977c835
SHA5128c51d0a68e2f36757ea9aa3aa929c7f3e46cc5e5ecf1e1652c3378974bea3023190f0f12f7c0b97e9b3120363affd93977434851b23ece144e88bad552ea46ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD51b0da7633c83071b95fe87ecd777d077
SHA143ef40e4e3cafee77b1aaf471489a4e0bb853b0d
SHA2568c8c6bbc96de3274eece46b16c80e161e6f821ae81bb13a1e508fee73a289b26
SHA51208cac4b1568cf8c551bec4d79150bdb2077f4521ac7798f47b2a5433e77d4bb8a7f3fa0bc0b83dc1bb29724d9897cd068154ea83f59cf6af0fe13931acb73fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize157B
MD5e216e4a8b655630490b8aa8706ac6218
SHA1242cc3169e9078bcf0e5e1e053b135a65d4a6c9d
SHA256dd321dbfd891dbaf6a4fff0c989b419ba01067f8657c445cf7b086a1d1ef43df
SHA5122a95db3fe10b9f0a21bc95fa3fc90bca446fefb8c032ec7ef2762bb46ee727127af8a4e705e51535917b049351fc84e6d61fcf0423cdddcca813e9485ce541b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize217B
MD5a7e0b28c2e093964aad8a05ac8a9c373
SHA1da7e0a9d8f9161a2a4af1599789894971746c7d5
SHA256bb42c99a0d7fc5cad28b802b7211bcb1f4105dd5ac9ea02d322c802a5f724206
SHA512a5094805a175f44c7a42786f5bdcb03a366ce1a2a73d6f982ba5460f1575aec364c38bc25e7814f36ea8ba44365cd41068fc66d916894072f8caf1aca2f2d5ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5b9d95124b72175c1705a2d47ba0e146d
SHA1d1322ee7cfe2968d99bb17e8074b6a2a186ebe5c
SHA2566d5c7c3bf5db772f1a946f1615b1c2c5d4827ae3200eb769707ef6436507d2f8
SHA5121bc7354270ede529fe5eeb8bce091a249ed108041e9020b19d0ded967120d84622d4390465857740906696a8abc5e465d4766d0829447027bf94293d2dba7732
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize148B
MD52156eef8fa831665d49722ecd0d4f54f
SHA153a655c9b54621dd6048f29e3c6cfb5ca14fbb1c
SHA25650a93f70572ff80a47471be12314df837487acd4ad573ab9908c9cf5cce8515f
SHA512632684d220ecaf789f10ae9504018991ae5b537713589e90eb4b230db3dc7a7620b21ba8bcc9f97a3eef6f070dd027ff7ca631a4b3e5deda6615f7014056bc54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize153B
MD573d72ba35f9d4ef20844f62bd2cecea3
SHA1587d4f0572240c727e440fcbd8f0fee3d1e85e2e
SHA25615267507b4f625837df5e1d14b7452784ed28cbe372b93aac0f619c53a8254d4
SHA512066532617d3a9bfb553f32800c01fd6b196580c603b1dccac66e8bf2cf7ca97055bd9be6122b9c28b2ae903932402e71e43ec016fc0a4f31112cd4d7cf0e41d0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5764056d802499125915e82c3d5cb3662
SHA1710157c4c7aca1519e73535e833e95d5b13b7d18
SHA256779404dce6c1b1a15ee663434a31357aa82374147cfc247566bcc79e05eb8ae1
SHA512d1beb3bd16d8508a9abb306c51615a1c5df732571d9e2049f0ea4576a6203204fd585f76ba65644255b5a6708bc603219d830ee37f13e98faed9e51cda17d7a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a131c.TMP
Filesize48B
MD51ebadb5cf4c78d2e55196cb4b1a87e90
SHA146073bf7413910a882207c38a1b58d72617eb463
SHA2563038f8447699a3102bb7f3ac20ff7c37ffb1151514f4f90383c5d7866eff99d1
SHA512bec0968786ab091702c0831fe577b21e213ce8ee12aed13b3217576390be495ff63ba3272d69e7d4734411797f002a7afc8a50982d5f2e2ea904709e478958eb
-
Filesize
1KB
MD55fee17f34b4d7770f028141b7bababb7
SHA110ed08905db824820212bee9248afb3f88a3b643
SHA25669543c702561e69227df5521e5a89cb1794055fdb67cca7d7c2f4ce82f5fde3f
SHA5123ae2974fa64a4462acbf7745648fec1d4da0b06ec108fc5f64758c95baa41fe6af6273f16835711ff5a48c60efe01227d41e6acbd252f09d0ef2f9e135ad5fbd
-
Filesize
1KB
MD511e7d5348939cb9cc3091bd38536c5bc
SHA1f1dd6d00681e2b13dc0e442a2884894b6c5b515c
SHA2568d71ff322927c5ee0b58677679aa6252fd5dcd9597f5c1bbd11896033db47b4d
SHA512939f8af45556c95246e27e2224afa40a50fdc016a9158c80c2530dd9467eb02cc263d8078899c615526bc1f4eb8f018227b07234ee63ef858a12712c26da92ec
-
Filesize
706B
MD5a39c56e8d4816d477617f6fb4890b65e
SHA1507b642a75524f9be0fd7cb52d84900c71821e8d
SHA2569b2e32389084b4902c38afb0071ab88ea41f08fd3322fb7c04e615089ee58fa6
SHA512203bcc1e8fa96c31c24c7ae5159648f51dce898bc78db425993be2ed9a35c1a65e635d90b34fb8bc75f806a3c07f233c061a0ea2fcbd71f4c94af42a15e84aff
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5637a33c085ac224e84443c66f5315d32
SHA1cd4ea2329fb70d8efa8b3a77a3ab1aa61c37a2a0
SHA256e3ed753b002510540696f9eebf3231346c9d4ab83c8b837ef4f379935a60d7fb
SHA512f4b786c819b42a8c216192bcb550294d24304e9e84672311ae9e5f47b2069a93ed7c4f206cdf254c3f18f8002192772b578da0ad80f5dbc6a8ed6de59bfe3520
-
Filesize
11KB
MD5b56e6181a087011198eefa5baa6b86b1
SHA1afdc637e3ce0f4d76e61ea39a43c63b9aea2ea89
SHA256e90f0901568e83af77c4165da3b403aeec72908b540cb5e7f0424dc561395dbc
SHA512fef3a6fcd8c9ae0bfbc20f9880ec51e7e37715037705b9ecd2f93fbe418ac3374a095cef586acf7aea4035ec99808d4e6f14c63202f6b0953616c47bc4a4a400
-
Filesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
Filesize
93KB
MD5c40c09bf0ce0defbe50f123e8d6a6174
SHA1d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
SHA256272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
SHA5128f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4