Analysis
-
max time kernel
316s -
max time network
311s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
02-11-2024 05:56
General
-
Target
https://drive.google.com/file/d/1yQk0LO73agQzljwm2UkJAwUI6wObD7pS/edit
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1yQk0LO73agQzljwm2UkJAwUI6wObD7pS/edit1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc56c646f8,0x7ffc56c64708,0x7ffc56c647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6540 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6552 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6336 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7792 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7492 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61fc55460,0x7ff61fc55470,0x7ff61fc554803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\EzExtractSetup.exe"C:\Users\Admin\Downloads\EzExtractSetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7592 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8040 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,11197104705870425458,18433572009947043664,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
881KB
MD53b67b6026237810356f5aefb373d2b15
SHA11a4d565f81195adb9c048f8eb7fa7d77018ee3d1
SHA256554ef8f1d2b201421a53dbbf897fcbea20dbba9d6e8fa881ad0b52be60c11f5e
SHA5124e4a7445b1580c2076174c336414d5918a3fc0afbb13d56d29bd1fc18ca114affad1ced06fd52624292012dff2b95a76b19f4e3f9940c2d9a333c290a95d4641
-
Filesize
1.9MB
MD5ede6796697abfd295b96322048642a69
SHA1d0e7aaa407c4576eee42032bf743e9194a9c21e7
SHA2566f9b0b8e8d1efbe25b81b0676a5902ec97aac1bfdc84a1a2d1b58659eb44dc5d
SHA51288daf23e91c542c7348aa5c0fd16d382ef2fa95d7d5f91a4d5e39cf5d5b361eeaf4f33fcb43a71b52e4cea20c2b9dcb2b4e909d7ca3e5ab0c6d569f672dd385f
-
Filesize
167KB
MD5968e162057c49c860813e465bfd3c2fa
SHA178e5b2e365a3cd7bd3f7fc4dfd9991568ee2ec8d
SHA25608ccd848487f570175e3c5b8fa70b04ce30e3afb9f43b4105180e2eb079c85c6
SHA5125c41164239607fd32393742943e588d461b8a1d276d9e8142929aa7a22b6f5a82a723b2fff0389ed84677cb9ea9cbf1d793a66d27c367b8f7b9909a242f94eec
-
Filesize
126KB
MD524be51bce468016e106b55b19a2cbc80
SHA1c7e18c81ebe523a1fefd845c9f9e09b881fccd11
SHA2562d3a1c7e0e6256344648a054bc5526d4804538fef9cc87efab9edb426bf1f4a6
SHA512697d736f24b8e28db98885ad248048f43d6bf26237dc0e9651d37810d992fb2482cfd23a26d10164a2a30ad326fbbaca9390730ec498972cc91f673b77756859
-
Filesize
11KB
MD5ae3ae2010a4971f6fdf44f945d235d80
SHA19ad8643bf4a56f7d497fadaa703102e0aeb37e79
SHA2564e3591625d0884b7d78cd42ced7ed2d7f944e856cb45af212f4cf4cd180d3f7a
SHA512c7054c198a3b99377bf9b24b6d8f8bf259bf453e79c041f190c4eb9128af0ade7583240a79f8dcc3e09c5bd0e66b4ba5d41b4264d1c3e50fa8e25e79a02b2c5b
-
Filesize
152B
MD5467bc167b06cdf2998f79460b98fa8f6
SHA1a66fc2b411b31cb853195013d4677f4a2e5b6d11
SHA2563b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd
SHA5120eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286
-
Filesize
152B
MD5cc10dc6ba36bad31b4268762731a6c81
SHA19694d2aa8b119d674c27a1cfcaaf14ade8704e63
SHA256d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f
SHA5120ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56
-
Filesize
48B
MD50c11637702002cf72602a76b2ca7867d
SHA1cf16f26464cf5fff30d08cd96aade6d76d4633e6
SHA256e7ca829e082769f944b508af7c7ceaec247efa3a5e7cfe56ef3613f3b6b49550
SHA51242151e3039579c78ccf7e41d8e051d87e1ea69533c44c5daf1f668a61bb1cf1d754366828421b914327aa11096bd0cd6114a636f7e708f8bb079ff6d52afc3e9
-
Filesize
552B
MD541f5d00c94b386ccb783435c109254f9
SHA1cc80b0c23e7fcc52f76e70ca95c6fa45516847ec
SHA25664ff13321db076e7a8e6b59a7a17f1def880eff4ed47b83db4c36970c3262944
SHA512c01c18e185579b276f397f6648ea24a3fc85a6177fba32604c2fc1804dbdc7118297ec0fedf173d47d6d6f47f266169a9db4ba5931917ca178d2324686cf70d8
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
264KB
MD5751317cc24a5776f52468926c3a9a1ba
SHA173cb12cfbfa95cc470e85609d15f71644884815d
SHA256c16256eef53f96e9450a448ae6a492482c628ad95a8cb77326fa5057e5a159cb
SHA5120d25a5bed382a76cf1201a4ac3e3685491e7dc0303c340628c94582ba6192e457cd0cb85f0b4e81925f9825a31aff3ef6427f4e8a1db1cc0e7e3f07ec8fc921b
-
Filesize
4KB
MD5f07ed0a4b98f7a873ff8bec4fa446eed
SHA11e600d9d4ea9e614bfcc68c955687cc49d2cfdb5
SHA2564856a6b4cf37bd9b0f6254b5ae795d311dad3216eb4cb8e7b4c9469a7143890c
SHA512878b8b806343480e442fed2445fcec8f653385e962db19c008d5e7eb22b6c4003387090181b640ac11814585b3fc48135512f6159523d4f3dd47b2387ca5ee0c
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
6KB
MD5f908439c89a77ef4c3a2f8af3d5e7702
SHA12b97463f4db163e27b428448b35395b79cbd28b1
SHA256375ad20328742b43bafab0f762d9b182863c248db5583b7af0563a01088dc027
SHA51220607fa40ab1d9c4b7fe6dbec5a982586bee3a7eb547698ef2332453426b2b07404c3d7910f283e8b1c505a8215ef36abe0c04f31adbfff21a8064536e1189f8
-
Filesize
5KB
MD56dc3445395607f8536338fd545ead715
SHA19af5af1c1a950b610ff6f24797e6d2e2c76f7317
SHA256235c8e9ad3c0493fab30931d747f6aca27860ba384bc1c12ff6f3e424248c919
SHA512761e96228608b646f5a9500ac5edb04915676d6ef0ba6f2bb1599ae5de76a29a130e51b5931173115482f037f4d639ceed557bebff02a842509a67a435979901
-
Filesize
6KB
MD56cd97f9925c63a83f07becdf6b17450a
SHA1e52aa3a6f93c455ce5c707c51fd4e76871978a68
SHA256882e2c6bdb0e037f593481668bee31658f2cd46be0cb9e3a1db233159fa3e518
SHA512d51419e8550593f4c1a1385541cb0bfa090216258d919656cbcc2112dd65724c83d7076a2461daf738477efa61fb3aee6d6b1c594ddede7bd4c66d49a6b5b631
-
Filesize
7KB
MD5d2fafbff05b41ff44f6e446654a6f685
SHA163630200f684b9978dfc968ae5e6b130d783effb
SHA256c4a034c89c8d666fbe44ba761b65be5fd37b48d344e8d37f41c098099bb5fb88
SHA512df4dac3d5023e8102a7c393347e68f9c389a1731911c2ec261996133af8e41c760f27fefeb18e00753428532c2d769333fac35fefcfe88b61071be4df6377fa1
-
Filesize
24KB
MD55c2d5c900312f44e72209416d45723cb
SHA168fb8909308589149399c3fb74605600833fbbc1
SHA25656f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8
SHA51207c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b
-
Filesize
24KB
MD53b964859deef3a6f470b8021df49b34d
SHA162023dacf1e4019c9f204297c6be7e760f71a65d
SHA256087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5
SHA512c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD504bfa524775c9d4b3b8fc67c7bff4a9b
SHA163fdc9578c67947adc8d90d58b728ca3daaa12b6
SHA25611494a42a054a901ed7026b8993fb51e6a4715dbb69a128054d306f33fd61b26
SHA512b749059016e631d34e431ef44bdb98f3bcc04b4e417caf3a742c8f6b803c48f3619b3f4c359d8ce069f81173aeb855ba53aa693fdf9f5b15484bb7f9683ddb39
-
Filesize
11KB
MD58d02350693fe1e830854d3f0a49cf6bb
SHA11f3e90ecded1d4915f0fbd8dda1f1ca966dc9ca8
SHA256e43e469bef3ddc3ef6ca171334af01db0fd038a5efa7a83107eeb122b3f1145d
SHA512b7f50f6b0b4eaa35ba7909fb5da01be96089e017cef039650ddb3fe9a7a4f609bd219cf456e8a044e59d8a26063ff57afe4ae087898c7006b8e3cd551d6d0006
-
Filesize
10KB
MD5a5e7dfa4f845ea2bf13538a2d18dfda3
SHA1f38e2094b6f45d96c536e9539111f1ea0a47daf6
SHA256070e261f56e2f7b365d9050c87185195969ec86b854f34e434e064a97c487cb4
SHA5126d54c62bafc34a864d0a462d270804e5c4a644df72c70f1d0aadfaf01fd883ccd98d05667bb3538ffc9253d2309f55257dbfbf5ceab274907a9014b79cc1b4dc
-
Filesize
10KB
MD5da3d9d7d4f19eabebe6c15c39912e675
SHA1f48cb78def504484b813b64bf5d0bca229587201
SHA256d2e1d093e41c2c973a8b10351d0b963f58eaf570cca2f47e3887a2e59bfdbef9
SHA5129ecd03866111f8d7d59ad01d2b9914653f53ae194e6111893c2c93af02787c19eeb007494b0c6e6bdf7cb94e41a311f9ec41a79a59a2d23535a709874d7175d1
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
280KB
MD51d0e98e6817a35237509731e1398b47a
SHA12690a72941f1641495a1cf51ebf5399987a74e5c
SHA25623abc9395b36419700f31b507f13a189ec2eeb70c7e1a1fe9406c2b9e0728298
SHA5125cf919baa11e3cdc3518a351e206a5dc84bb1beaf933194d27fb0a96edbc6b90a58106c45a357e8c7af9de815b4e74cf5e42a22bc91b5fac02bb386a6638d0ce
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
3KB
MD5c988012f59d99ae66cb9424ef3d490b9
SHA1913e905e64d186fbe7a936a36c0b792f5d52f9d4
SHA256430e9c5d0a2c379b9cc34c1c6c4e3134c7745392fc17aa3890d0a295e3f7eed2
SHA512c850a57df35405319ffc51e5aa7e3fd6eccf8794bd578aaa56b9cc92924c895c07913dca1a0604a40ffbf3583afac2925b2862d6128a3597d2b1d51d51f3452d
-
Filesize
3KB
MD537b8aff700127701964da7a480a48296
SHA1b200cf63435dc197a4eb711aa9a9564f91307bb5
SHA2565c65d0cd01f97c94ee701640e6fcc84bbc68711dc587371ec2cded356ac85ea7
SHA5120188b104700366fc71c1652a632002bce8882146757335a8e78b24360d89ed89f901db2d3b60fe7efcba3201d9cf82260984e9999eb94c67e57acf96d8821759
-
Filesize
4.4MB
MD57399ebe1e1b9c99f3cb4a2521d424384
SHA17a560782421feb72b1e84f162cf0abd0809fda28
SHA2564704846c5605552a2573aeb62f176630fd2ba5498457420c3fb36a27cae6800f
SHA51280b6b5b2a93656211073560e3eb93063edec44d54a4346b64cab5898162936d3109e7d213d73a93e50ce3a20d163ce6f8eb27e3f31e72bae6c684e528413981d
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
32KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
1.3MB
-
Filesize
888KB
