ramnit | 7d0eb3c271e15811bfce3acebdbe17cb7d91ed01b988092d050ab9b88bbf367f

Analysis

max time kernel
121s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

screenscrew.exe
Size

167KB
MD5

73d51997f201501a641743db5494f864
SHA1

01a10a3f7d3e62e70538273285f4f4ef75793465
SHA256

7d0eb3c271e15811bfce3acebdbe17cb7d91ed01b988092d050ab9b88bbf367f
SHA512

28549142ffc196a5b23110f1999f56c25491ab3c31f2a3896bdb57d8fcb852487fb3e7b648366f998decfbdb910aadf74036729d24660ab9a1972aea190310eb
SSDEEP

3072:A0J9QbLkewys+C6pNxFE7Z6wAOpw7DZ6/:Z9QboZyJp7xq6wAZU

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1044	screenscrewSrv.exe
4444	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023c21-3.dat	upx
behavioral1/memory/1044-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4444-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1044-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4444-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4444-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	screenscrewSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	screenscrewSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA75C.tmp	screenscrewSrv.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrewSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3D2E3E9D-DF1B-11EF-8FFC-FAB3ED94934A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4444	DesktopLayer.exe
4808	msedge.exe
4808	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
932	identity_helper.exe
932	identity_helper.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	taskmgr.exe
Token: SeSystemProfilePrivilege	3996	taskmgr.exe
Token: SeCreateGlobalPrivilege	3996	taskmgr.exe
Token: 33	3996	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3996	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5092	iexplore.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5092	iexplore.exe
5092	iexplore.exe
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 1044	3104	screenscrew.exe	83
PID 3104 wrote to memory of 1044	3104	screenscrew.exe	83
PID 3104 wrote to memory of 1044	3104	screenscrew.exe	83
PID 1044 wrote to memory of 4444	1044	screenscrewSrv.exe	84
PID 1044 wrote to memory of 4444	1044	screenscrewSrv.exe	84
PID 1044 wrote to memory of 4444	1044	screenscrewSrv.exe	84
PID 4444 wrote to memory of 5092	4444	DesktopLayer.exe	85
PID 4444 wrote to memory of 5092	4444	DesktopLayer.exe	85
PID 5092 wrote to memory of 3748	5092	iexplore.exe	86
PID 5092 wrote to memory of 3748	5092	iexplore.exe	86
PID 5092 wrote to memory of 3748	5092	iexplore.exe	86
PID 5088 wrote to memory of 4508	5088	msedge.exe	93
PID 5088 wrote to memory of 4508	5088	msedge.exe	93
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 1828	5088	msedge.exe	94
PID 5088 wrote to memory of 4808	5088	msedge.exe	95
PID 5088 wrote to memory of 4808	5088	msedge.exe	95
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96
PID 5088 wrote to memory of 4128	5088	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\screenscrew.exe
"C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\screenscrewSrv.exe
  C:\Users\Admin\AppData\Local\Temp\screenscrewSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5092 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1e5046f8,0x7ffb1e504708,0x7ffb1e504718
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1680373598098130235,8454597561779677385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a84cd7925378cc74972cc4e677ecef

SHA1
30b4da4c5dbd0cc77d756d270ad260ef74987ccf

SHA256
7be0a4cebd74cb4d879e3f9950f5ac5a05acc3bdc415bbf9d3dd691cccee2cb5

SHA512
ef142224cc0b94a1c5585836988a0d544e7e8b5e8573a1893c9fac528a1ccbbab6c9c7acaad7cfec1a415544bbdcdfd1d0c5e0a0819cb94107fd81989df18704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62e6ffe7501e581c80b178323e921b81

SHA1
d0881a3d0aee1c256291d34a90e3092fffa60ce2

SHA256
a4f50a6b36e27013a694382c996a1d3059d38310a138f21aa25cc682be5cb0e5

SHA512
0c4e34fc9a7c5308b1cd05ea71d78c75a9fb85267d7f3e5616dbc1390794941eb549bcc70f7430046ca79cc0055edf0bd51b8eb43f84ee42163dd34d612ba137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
816f562705bb3072a0155cd49ee57d6b

SHA1
b5ac663473d8b143917a8a092fff84d62dcb7b9b

SHA256
40d4f89a55be6e7d60d35265f51639d02fb3ca57b40d8be0b8c6a1f821caf4da

SHA512
5e8c48ac2328862ff1f989a6183034805cb4a23c1105c26402a941a2a7bae46461365df8e90259d9c15437a36ea8bf552e2f44fe65b8c0c48475f2ce4395ec84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c7aff2719d69df94fafda5f78fcc409

SHA1
c852f0c7693853a2a2d50671eab4c292aabb9e93

SHA256
514ca11fd7bc70681b2361611f47490a065532afb3c484cdb7a38ce071ae396d

SHA512
288cc64edfcf5a50f07f675a1e74d7cdcfb3cc7b7b07c5d7074d52136a774fcccd13d692d88fa0e7b24a09f6132f6e02c57cd0ab54365c181284f99c569e8139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6dda16b615ad1bce477dfdfc41114392

SHA1
92818093a23a360655c18bf9fd8d15b36d74b07f

SHA256
314e66c124ad6e03cf0159cf3ccc62f46d43c5ec18f1c7f582a7414cb3774caf

SHA512
fac901cdf5cde47e7ae32575b57c89a189a89d9c2b39f61c350257507189451f85cda909e13c3f35eadf4c3878fc98fd1b55096e02f7d4776cc50e70872823c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenscrewSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1044-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1044-8-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/1044-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3104-19-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3104-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3104-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3996-160-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-164-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-165-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-166-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-158-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-167-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-159-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-168-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-170-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/3996-169-0x0000021590F40000-0x0000021590F41000-memory.dmp

Filesize
4KB

Download
memory/4444-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4444-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4444-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4444-15-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download