Analysis
-
max time kernel
784s -
max time network
754s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 12:54
Behavioral task
behavioral1
Sample
virus.exe
Resource
win10v2004-20240802-en
General
-
Target
virus.exe
-
Size
483KB
-
MD5
cbab80f7f17d6c3830a17d7fee29cd30
-
SHA1
701eb7c9e2b662728f23dfaa34e634f11847aad7
-
SHA256
eea9c58429ef1465aa760fada958b5d580e3ea0c2a40a7c11de9f5518f661706
-
SHA512
e5b0acbeadadb3e75e2b8aa4794ab5fabe41de92dabc46120c84c6e0000da55900eecd7d12f1bb1a392b0dc9dbcb1e97fa7bf54a8281e6ebb2ca100d2c91fb90
-
SSDEEP
6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrRT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBKT4
Malware Config
Extracted
remcos
RemoteHost
mode-clusters.gl.at.ply.gg:36304
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
$77-Update of anti root
-
copy_folder
WinDMRmanager
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-W4O1LZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run virus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1648 iexplore.exe -
Executes dropped EXE 4 IoCs
pid Process 5072 winrar-x64-701.exe 368 winrar-x64-701.exe 5952 winrar-x64-701.exe 5664 winrar-x64-701.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" virus.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-W4O1LZ = "\"C:\\Windows\\SysWOW64\\WinDMRmanager\\$77-Update of anti root\"" iexplore.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager virus.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager iexplore.exe File opened for modification C:\Windows\SysWOW64\WinDMRmanager\$77-Update of anti root iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4908 set thread context of 1648 4908 virus.exe 87 PID 1648 set thread context of 3780 1648 iexplore.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virus.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{5DCE435B-65EC-4853-90B8-4482283DFF6C} msedge.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 3672 reg.exe 3236 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 711328.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4908 virus.exe 4908 virus.exe 2900 msedge.exe 2900 msedge.exe 2856 msedge.exe 2856 msedge.exe 5080 identity_helper.exe 5080 identity_helper.exe 3024 msedge.exe 3024 msedge.exe 4628 msedge.exe 4628 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1648 iexplore.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4908 virus.exe 1648 iexplore.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe 2856 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 368 OpenWith.exe 368 OpenWith.exe 368 OpenWith.exe 5072 winrar-x64-701.exe 5072 winrar-x64-701.exe 368 winrar-x64-701.exe 368 winrar-x64-701.exe 5952 winrar-x64-701.exe 5952 winrar-x64-701.exe 5664 winrar-x64-701.exe 5664 winrar-x64-701.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4908 wrote to memory of 1488 4908 virus.exe 83 PID 4908 wrote to memory of 1488 4908 virus.exe 83 PID 4908 wrote to memory of 1488 4908 virus.exe 83 PID 1488 wrote to memory of 3672 1488 cmd.exe 85 PID 1488 wrote to memory of 3672 1488 cmd.exe 85 PID 1488 wrote to memory of 3672 1488 cmd.exe 85 PID 4908 wrote to memory of 1648 4908 virus.exe 87 PID 4908 wrote to memory of 1648 4908 virus.exe 87 PID 4908 wrote to memory of 1648 4908 virus.exe 87 PID 4908 wrote to memory of 1648 4908 virus.exe 87 PID 1648 wrote to memory of 1808 1648 iexplore.exe 88 PID 1648 wrote to memory of 1808 1648 iexplore.exe 88 PID 1648 wrote to memory of 1808 1648 iexplore.exe 88 PID 1648 wrote to memory of 3780 1648 iexplore.exe 90 PID 1648 wrote to memory of 3780 1648 iexplore.exe 90 PID 1648 wrote to memory of 3780 1648 iexplore.exe 90 PID 1648 wrote to memory of 3780 1648 iexplore.exe 90 PID 1808 wrote to memory of 3236 1808 cmd.exe 91 PID 1808 wrote to memory of 3236 1808 cmd.exe 91 PID 1808 wrote to memory of 3236 1808 cmd.exe 91 PID 2856 wrote to memory of 4328 2856 msedge.exe 122 PID 2856 wrote to memory of 4328 2856 msedge.exe 122 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 652 2856 msedge.exe 123 PID 2856 wrote to memory of 2900 2856 msedge.exe 124 PID 2856 wrote to memory of 2900 2856 msedge.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3672
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"2⤵
- Adds policy Run key to start application
- Deletes itself
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3236
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3780
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qvausfwbkeriznlfqhznxzk.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1624
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe01dc46f8,0x7ffe01dc4708,0x7ffe01dc47182⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4028 /prefetch:82⤵PID:984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3704 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:12⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5896 /prefetch:82⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:82⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:5496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:5632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,3129973944271123311,6556830436289214599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:368
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5952
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5664
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3260
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\bf46b2604e544ce1ab585397cb5b86eb /t 1484 /p 50721⤵PID:4700
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\8c9c6855da9d4b6f88edec415c33c59b /t 5020 /p 3681⤵PID:5568
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\924519ecac5f417794db5f1a441f3d14 /t 5772 /p 56641⤵PID:5412
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\86eeb5e8f0604915b8a54c814ea2f38c /t 5692 /p 59521⤵PID:6064
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5a0739f749afed095cf609766c8874d42
SHA13f1329314b91f08eb46006f57c851fe115261a4f
SHA25677aa642f868d84522df9bd07d3ccb98a4a997d4bfa137c8ffb597e1dbd26c0c0
SHA5121413bdad2a9d3f5ef7b44adae6523403dd3744f12bc000c6265de5e6bc9a3a7b7d5ae644a47213e44bc9a79999bfae1a32afba7fe0229cec8cbe8f32f5f0e28d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
552B
MD5911965790b083419cdd1fff2cfefbcce
SHA1f669bb17ee530c5268b87af96ef71d2015b4719c
SHA2565ed8fa6521514ecdf94ad1bb6bf7cd93837134a276f3f07ba3a26c23387db7e6
SHA5126dbdbf31a97e6996d4362a8779d50687cd68891b8e2da6687c3ca71004b41ae5befb7f6ae10bb359be9c9fa80e48c5c4591e3c6f4d667f713833921c8c4f74ee
-
Filesize
5KB
MD59171786386c57a1b58ed6dadbcd3757d
SHA1596db8f510705d4978224ca8554580189a432283
SHA256cc1caf38f99c4c88ccb8d5a68ad40c3a5574170645a36eda7e85e5a88b41bd72
SHA51272cc48a04d0c18aa8932c44b583f5c29ba48cec5303fb9d5e84776c70a83b5a547055349277e2318586656c7bb75a73bbe0db978263847f7fda230641a172027
-
Filesize
6KB
MD5f7ed34b45b3f5d55e1d08465a83dc4c5
SHA1d61b9ce3eecd7020de875439a7dccff62c0203b6
SHA256274364474b3fb8d03d3d61ed1124bf7e2008c6dbf9bb965dc3bcb62375096824
SHA512f127eb5e1857bf6b3a95355c1e33010264a6ef68e07abdaba83d91e8e605667ea964bc32b57e57519429a86b4da1b68cf8c0e71db234c7945f0bcc60195de572
-
Filesize
6KB
MD5f4e58eb37cb7b43e2075331b9c96df10
SHA190c1ff287b637d8094191984a9057eb3d2ea4a97
SHA256e8a933de4370099826bcdd3bec038e2dc7864eddae231c6944c9125e14e3ebd4
SHA5122025f164664fe5aba6f5daba5145cf61ccd63e9d70e05457149a2ed1723b352e4c4f0a2cf9f5cf503ea8ca2134b6b81924efd368e97fe22b6df87c3624c6ed26
-
Filesize
7KB
MD511680724be44932def8c139758a539a0
SHA123e80c7d7421f7a492664f77f5bc03e83f97c07a
SHA256c5371f8791d424db7f2e1dcef11619c1ecb1dd5403a232aa694d33afdeab8741
SHA512b1da38b245592347fcb3911047d5893de8043f360d9d5cc29c94fe2b4c3cf43e112e9c41109e9170d4e1093b5b287366a63bdc194dda9b9011b37dbb7cefc5a6
-
Filesize
705B
MD53e46aa1b1be9873a64bc29e9100892e6
SHA1b8b42de9b25f086240289a7e06064e8dc9585bd7
SHA256c69bf45f6a454fd5e853d022e5734b0d1704f9655f8bc6492297471db2ccf2ac
SHA5127f795d110a20528ef3f2ba11a06a6b30de52155652048cc7b7f40826619eb3845350f9472d362a4efa4944d6819a2186828e9c4afb436b400a013a8d311def5a
-
Filesize
705B
MD5d1919e09bcd6de1b6493639b782e5530
SHA15222ade6ea8d0d0b4caf410d0b607bd1d18396a9
SHA25612c2308f305a4b1defc9c1d03b5a7c6cacb981601f7a0de572629a8733aaa846
SHA512712cdf43476d69bda35f0d51c90ac407286ef691d2be7d0329ab13314982db1837aa5b2ec9dbf07971cf8a57fbf8bc081374fd97cf7f583a27493b9cf86d61c1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD56acffa1bd8c22dacf927c1fcf6e5d4eb
SHA16e76264f3d2a18701f6f51459b1b5d3abd35b581
SHA256c6b3c2ce9112eebb8cc454754a58bf6b894d0dcd23e66c8a9c42434f1d3a9b85
SHA512490b4344a78cbdf91b72e1ed6c252ef2fdaeb7db5e5a09cfdcc166b77aad0f3a35d838b654710e0653e1d4ab931bb3fe857bc8dd0a0c35d36524932a4a5ec777
-
Filesize
11KB
MD5b08beb67321d41bdeb0f1e005cd87e26
SHA1c751b323f4f774deb473f733f2394ee81ae9da0f
SHA2564142292a33c55c9da40016c0a1354218bd808ded10e60bffe2abb043d9884f25
SHA512a0af60981a72e7e01868c04dde1a904b5a4f7a02401de3bdacca3f1fb9a01b7c0fa4b69b9c28e94b15e34ec6d118edc31b09c1885c80da232a50588c68942a29
-
Filesize
12KB
MD5afefcb4bb24c9aea3e2c79d86e34b9b4
SHA14634c92472383c6d0c3279d98de9370d9e36b004
SHA256581b688d72a8afd109c5b3aae3f66c7cb7dbe778819a242f1eb3eb0b6619fba5
SHA512e63b0bee46b60392ddeca29a3a4547c627db6184be0c50ebef4de4cab364b1052e1eef48748b68424c17e50880557ed3d9fffabc63944fcce82cdff2a5307238
-
Filesize
654B
MD5f9903a94c05461ef865cd21d06b63a2f
SHA1731f5328eb5461d1d6582f84ea1d7a3800e8758f
SHA256d7ae25d8fe5a9c3bc85077dd2f22c017df803084978cf4a4c48a1aad37898ec5
SHA512f1d8f1f63a6561119e7f1809e061ca8af05255da51e7f5ce6e08c3d8c91b3de117dc636d8c438add9895ed802ea105475d87f949a42d4598cea3305b56d415fe
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
-
Filesize
483KB
MD5cbab80f7f17d6c3830a17d7fee29cd30
SHA1701eb7c9e2b662728f23dfaa34e634f11847aad7
SHA256eea9c58429ef1465aa760fada958b5d580e3ea0c2a40a7c11de9f5518f661706
SHA512e5b0acbeadadb3e75e2b8aa4794ab5fabe41de92dabc46120c84c6e0000da55900eecd7d12f1bb1a392b0dc9dbcb1e97fa7bf54a8281e6ebb2ca100d2c91fb90