Analysis
-
max time kernel
101s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2025 13:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
-
Size
390KB
-
MD5
5b7e6e352bacc93f7b80bc968b6ea493
-
SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be
-
SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
-
SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
SSDEEP
12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023bfa-17.dat mimikatz -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe -
Executes dropped EXE 1 IoCs
pid Process 3956 9923.tmp -
Loads dropped DLL 1 IoCs
pid Process 3388 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe -
Drops file in Program Files directory 54 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip rundll32.exe File opened for modification C:\Program Files\JoinApprove.7z rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg rundll32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf rundll32.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf rundll32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h rundll32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\perfc.dat 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe File opened for modification C:\Windows\perfc.dat rundll32.exe File created C:\Windows\perfc rundll32.exe File created C:\Windows\dllhost.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings mspaint.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3388 rundll32.exe 3388 rundll32.exe 3956 9923.tmp 3956 9923.tmp 3956 9923.tmp 3956 9923.tmp 3956 9923.tmp 3956 9923.tmp 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 3444 mspaint.exe 3444 mspaint.exe 1512 mspaint.exe 1512 mspaint.exe 1748 msedge.exe 1748 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4932 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 3388 rundll32.exe Token: SeDebugPrivilege 3388 rundll32.exe Token: SeTcbPrivilege 3388 rundll32.exe Token: SeDebugPrivilege 3956 9923.tmp Token: SeDebugPrivilege 4932 taskmgr.exe Token: SeSystemProfilePrivilege 4932 taskmgr.exe Token: SeCreateGlobalPrivilege 4932 taskmgr.exe Token: 33 4932 taskmgr.exe Token: SeIncBasePriorityPrivilege 4932 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 932 helppane.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3444 mspaint.exe 4732 OpenWith.exe 1512 mspaint.exe 2992 OpenWith.exe 932 helppane.exe 932 helppane.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 3388 996 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe 86 PID 996 wrote to memory of 3388 996 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe 86 PID 996 wrote to memory of 3388 996 63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe 86 PID 3388 wrote to memory of 4428 3388 rundll32.exe 87 PID 3388 wrote to memory of 4428 3388 rundll32.exe 87 PID 3388 wrote to memory of 4428 3388 rundll32.exe 87 PID 3388 wrote to memory of 3956 3388 rundll32.exe 88 PID 3388 wrote to memory of 3956 3388 rundll32.exe 88 PID 4428 wrote to memory of 876 4428 cmd.exe 91 PID 4428 wrote to memory of 876 4428 cmd.exe 91 PID 4428 wrote to memory of 876 4428 cmd.exe 91 PID 932 wrote to memory of 4708 932 helppane.exe 109 PID 932 wrote to memory of 4708 932 helppane.exe 109 PID 4708 wrote to memory of 2432 4708 msedge.exe 110 PID 4708 wrote to memory of 2432 4708 msedge.exe 110 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 4488 4708 msedge.exe 111 PID 4708 wrote to memory of 1748 4708 msedge.exe 112 PID 4708 wrote to memory of 1748 4708 msedge.exe 112 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113 PID 4708 wrote to memory of 2352 4708 msedge.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe"C:\Users\Admin\AppData\Local\Temp\63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:073⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:074⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:876
-
-
-
C:\Users\Admin\AppData\Local\Temp\9923.tmp"C:\Users\Admin\AppData\Local\Temp\9923.tmp" \\.\pipe\{6BE70306-A345-4A12-A5F6-52D535EE73FE}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1304
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:4104
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4732
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\OpenReceive.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1512
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2992
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288842⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88e6746f8,0x7ff88e674708,0x7ff88e6747183⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:23⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:83⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:13⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:13⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:13⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4877293441195873789,15492352857542910551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:13⤵PID:3676
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Persistence
Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50621e31d12b6e16ab28de3e74462a4ce
SHA10af6f056aff6edbbc961676656d8045cbe1be12b
SHA2561fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030
SHA512bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f
-
Filesize
152B
MD556361f50f0ee63ef0ea7c91d0c8b847a
SHA135227c31259df7a652efb6486b2251c4ee4b43fc
SHA2567660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0
SHA51294582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5ca249042746dbe695f771c33c1177f9b
SHA146033ff208509a9c6c07c6c7099aa9c92af835ed
SHA25611061bad24df547cd86e827010267e909a10d0c920e935b29b921e4b41388665
SHA512996cc7c8c760e255a9d38149b8a6ecc1dadb9135b8da6e8aa60398c836e412a0034ea4332ce2c886def9bf16d0f00c14cb9592b9f460880f5f6cadedd42974b1
-
Filesize
331B
MD5050f5618ee97b667bde293f5c3bc0d30
SHA16f8f51542646b268dec13b79d3a442d7eef4c296
SHA25698a2f890a5ee589e29e06abc6271109ed7488f10d6cbe5521e92a51883168110
SHA5120e28b4c8e3ba21616710d1ca96e8d400511570e5607172c708d97f7a5eecddffae697c7528e2619ee69065c9c426135bdcb4f83389282362ffe1985ad8deceee
-
Filesize
6KB
MD5ac533147438f736298fc5bdcd11640ee
SHA1f214edf05eb383cced48283db62a828d5c338e83
SHA256ac30163564d320b45c54765ee73212255d30bc65a9d8d00006155d9f6733c47f
SHA512141c154e9ca3103cc7cb99770a67dc540bb351aff8424c735f7852f0a0b284ed70157deb933db4eae486f40a2527f233c0ee4681185a2cb34430456e95d365c4
-
Filesize
6KB
MD58e8a1007ff476f2f377afed47cd4b9e4
SHA1b942fb8f7c1069377baac1fb977b7149cf83ec73
SHA256188a814b893c69a63aa11b2cdaa96c4229757c38fb41c203b17d9a9cda470671
SHA512569275eff1def72adeaea54ac2ed8a64c08fe0efcc8a1cfa0af651722f02599e1d4ea6b7f619622c9c5268f1a2e845b56bfbe4ac1bb245bf72a35020064563cd
-
Filesize
10KB
MD5322a87b6e64735be1626e6512ff15bf6
SHA11f6fbc92d16b90589b24fb158159c2c1f6852282
SHA256c891d37d781a2bb7edb90d4addec5412b4671bd096bd81cd95ed075114620223
SHA512a332b77584860f92355aab9079e931fc1f06395a8ac4364f54b137d9823abb6aa1eb35c320d8e98e791d45ef52dc1729bebbe5c47fbd06fc8f8026d02d4010f5
-
Filesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587
-
Filesize
353KB
MD571b6a493388e7d0b40c83ce903bc6b04
SHA134f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f