Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 01:03
Static task
static1
Behavioral task
behavioral1
Sample
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
Resource
win7-20220812-en
General
-
Target
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe
-
Size
935KB
-
MD5
39155d3cb3f7297e02c78e8de64e0060
-
SHA1
3a8825b7168b837d5388f5b26b24ea950169f131
-
SHA256
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429
-
SHA512
30d2d6237964da7af8fa9b89ef2168c471f5cd9a504ca2d777bdf361b813c8be21763d89f5ad92fc9ee1e1cf1104d41ee16b75b37934fce5544977a57c82c8a4
-
SSDEEP
24576:n4t9MIPPE/RaPtUPYh31XyGb7govmIa1x3c:K0/R0tkA1fgUmIix
Malware Config
Extracted
darkcomet
RAT
liorhadad.no-ip.info:1300
46.116.152.219:1300
85.64.54.170:1300
DC_MUTEX-69QBQR9
-
gencode
6GuJmgpzwFpe
-
install
false
-
offline_keylogger
true
-
password
123456s
-
persistence
false
Extracted
njrat
0.6.4
HacKed
mark3000011.no-ip.biz:1177
b5857819bb096c04134249d6f4e71934
-
reg_key
b5857819bb096c04134249d6f4e71934
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gg.exepid process 4336 gg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe" f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe" gg.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.exedescription pid process target process PID 4920 set thread context of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4336 set thread context of 3108 4336 gg.exe cvtres.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4610e7ef-827e-4e8c-a6b2-73bcbece0155.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221004055551.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
gg.exemsedge.exef07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings gg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 4016 msedge.exe 4016 msedge.exe 916 msedge.exe 916 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.execvtres.exedescription pid process Token: SeDebugPrivilege 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe Token: SeDebugPrivilege 4336 gg.exe Token: SeIncreaseQuotaPrivilege 3108 cvtres.exe Token: SeSecurityPrivilege 3108 cvtres.exe Token: SeTakeOwnershipPrivilege 3108 cvtres.exe Token: SeLoadDriverPrivilege 3108 cvtres.exe Token: SeSystemProfilePrivilege 3108 cvtres.exe Token: SeSystemtimePrivilege 3108 cvtres.exe Token: SeProfSingleProcessPrivilege 3108 cvtres.exe Token: SeIncBasePriorityPrivilege 3108 cvtres.exe Token: SeCreatePagefilePrivilege 3108 cvtres.exe Token: SeBackupPrivilege 3108 cvtres.exe Token: SeRestorePrivilege 3108 cvtres.exe Token: SeShutdownPrivilege 3108 cvtres.exe Token: SeDebugPrivilege 3108 cvtres.exe Token: SeSystemEnvironmentPrivilege 3108 cvtres.exe Token: SeChangeNotifyPrivilege 3108 cvtres.exe Token: SeRemoteShutdownPrivilege 3108 cvtres.exe Token: SeUndockPrivilege 3108 cvtres.exe Token: SeManageVolumePrivilege 3108 cvtres.exe Token: SeImpersonatePrivilege 3108 cvtres.exe Token: SeCreateGlobalPrivilege 3108 cvtres.exe Token: 33 3108 cvtres.exe Token: 34 3108 cvtres.exe Token: 35 3108 cvtres.exe Token: 36 3108 cvtres.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 1320 msedge.exe 1320 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid process 3108 cvtres.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exegg.execvtres.exemsedge.exemsedge.exedescription pid process target process PID 4920 wrote to memory of 4336 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe gg.exe PID 4920 wrote to memory of 4336 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe gg.exe PID 4920 wrote to memory of 4336 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe gg.exe PID 4920 wrote to memory of 4192 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe WScript.exe PID 4920 wrote to memory of 4192 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe WScript.exe PID 4920 wrote to memory of 4192 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe WScript.exe PID 4336 wrote to memory of 3368 4336 gg.exe WScript.exe PID 4336 wrote to memory of 3368 4336 gg.exe WScript.exe PID 4336 wrote to memory of 3368 4336 gg.exe WScript.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4920 wrote to memory of 2560 4920 f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 4336 wrote to memory of 3108 4336 gg.exe cvtres.exe PID 2560 wrote to memory of 4584 2560 cvtres.exe msedge.exe PID 2560 wrote to memory of 4584 2560 cvtres.exe msedge.exe PID 2560 wrote to memory of 1320 2560 cvtres.exe msedge.exe PID 2560 wrote to memory of 1320 2560 cvtres.exe msedge.exe PID 1320 wrote to memory of 1800 1320 msedge.exe msedge.exe PID 1320 wrote to memory of 1800 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 1780 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 1780 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe PID 1320 wrote to memory of 4904 1320 msedge.exe msedge.exe PID 4584 wrote to memory of 3588 4584 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe"C:\Users\Admin\AppData\Local\Temp\f07ba8bfcdcfa52a20e341a6d22b8f6d3ed668e947d33770b02e7d391a2aa429.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gg.exe"C:\Users\Admin\AppData\Local\Temp\gg.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RmhOmkR.vbs"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JSQXPWJM.vbs"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cvtres.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aa4d46f8,0x7ff8aa4d4708,0x7ff8aa4d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17679584759006476829,4323120913604263561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17679584759006476829,4323120913604263561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cvtres.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aa4d46f8,0x7ff8aa4d4708,0x7ff8aa4d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5504 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11147650389012765598,6347920192322882972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff78f545460,0x7ff78f545470,0x7ff78f5454805⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5dcb650a933b718c9e345f34b03dcf176
SHA15d685186371b16d6c48a076fabcf9b43ad821b3e
SHA25681f0783a49afce7c284a0b9099f45a646694fdd67ce33a5e275aa461262a1d44
SHA512e4a8e165fa3166b52e941559ed50c49e13f7a28e181338cea892b448f31eb5ded74e35584386b853d17a1817294a64888da69acb8170d35c46288f2ec8323ce7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
416B
MD58a3a185233c52431f1ffdc1d0a537187
SHA143f0872fe538920b17a057a9c4b46798be3c25ed
SHA256958f3198d0f0fffe23ab372d631ef7e09033d3d54b2da35738723787cdb83698
SHA5129ded9eaca7be4fee4d8764174c02aa124609bc83eb78d5089ad209677552d9348bbe5fceec3e823f74e403fc2c7ff853244c76c200034545cc964d59a7931e7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5d7efc72c10e0c7fd415bca4fe831284a
SHA1ee9be971793720a0d98c3176c9a4f2a5358740f8
SHA25621b9d3b827a2445f0fb28fdfad63ba0f1423006c865e1cfbc582debd5a636f07
SHA512f47ba7f107c1d9d0b54eee97250bba6e29e7c783f563f6b7046eb1c510ae54a8e343c9888cd71f1d0914f28defab9fdb5a6eb26a83222c68f93eb56c27f67018
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
782KB
MD533494ef99ed1250e796947c370876f46
SHA12b68d4796c608ee0bf794afbee7514b8773a1bbd
SHA2568fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8
SHA512e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9
-
C:\Users\Admin\AppData\Local\Temp\gg.exeFilesize
782KB
MD533494ef99ed1250e796947c370876f46
SHA12b68d4796c608ee0bf794afbee7514b8773a1bbd
SHA2568fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8
SHA512e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9
-
C:\Users\Admin\AppData\Local\Temp\gg.exeFilesize
782KB
MD533494ef99ed1250e796947c370876f46
SHA12b68d4796c608ee0bf794afbee7514b8773a1bbd
SHA2568fda0b6082e33d1ed269fe21226fc292e684464a3e3c8c2a84709a84f78ca2c8
SHA512e161edd77f3ee5bd9d8071c371d4296da25a1546a0e693b598fd2bc66456a786fd3f86c1908747f6a5d8dc81fd1e3054d10a0430fbac385d672a3069a41cbcc9
-
C:\Users\Admin\AppData\Roaming\JSQXPWJM.vbsFilesize
455B
MD5e0d1baab1e00cf58f684cc15f81891af
SHA17a192fe8a1b1541710cf9535a6384465f8d079bc
SHA256d177dcdf8e1a430a76b95977ef590659bb6f9bb0dd0ed9ecb142351235f786db
SHA512c66888e2a2cb609d208bbdfc56d9592d1c564546b56311adb5a53adc79ce2f1ffce2a0c06eb905c5a6b81d04afbc45d0454b28ae703246054a2e1f4285e319b7
-
C:\Users\Admin\AppData\Roaming\RmhOmkR.vbsFilesize
382B
MD521fb6b9c51805fdf6f439ad5689b70d4
SHA1f3c90a8517f976025f255808085b4651c46c81a5
SHA256430bdb234f4ca075ca59d6badd4645d05d530345ee6a9d64bef48c902dc697c4
SHA512939f50febe6a693b66fe8b436c623321497d6fcc4ea247955e6dcf83c9bc0ab90c5203aa9496eb4d9cd88e8647cd1d05bee798a4c5093bde9063483768a246b9
-
\??\pipe\LOCAL\crashpad_1320_EPEHOXNFHFBSHPAMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4584_MFFLMAAJBFHRGKMXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/916-167-0x0000000000000000-mapping.dmp
-
memory/1072-188-0x0000000000000000-mapping.dmp
-
memory/1320-155-0x0000000000000000-mapping.dmp
-
memory/1416-193-0x0000000000000000-mapping.dmp
-
memory/1780-157-0x0000000000000000-mapping.dmp
-
memory/1800-156-0x0000000000000000-mapping.dmp
-
memory/1976-178-0x0000000000000000-mapping.dmp
-
memory/2560-143-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2560-141-0x0000000000000000-mapping.dmp
-
memory/2588-190-0x0000000000000000-mapping.dmp
-
memory/2688-192-0x0000000000000000-mapping.dmp
-
memory/3108-152-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3108-142-0x0000000000000000-mapping.dmp
-
memory/3108-153-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3108-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3108-145-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3108-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3264-182-0x0000000000000000-mapping.dmp
-
memory/3316-184-0x0000000000000000-mapping.dmp
-
memory/3368-140-0x0000000000000000-mapping.dmp
-
memory/3588-164-0x0000000000000000-mapping.dmp
-
memory/3624-186-0x0000000000000000-mapping.dmp
-
memory/3976-180-0x0000000000000000-mapping.dmp
-
memory/4016-166-0x0000000000000000-mapping.dmp
-
memory/4164-174-0x0000000000000000-mapping.dmp
-
memory/4192-139-0x0000000000000000-mapping.dmp
-
memory/4336-134-0x0000000000000000-mapping.dmp
-
memory/4336-151-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/4336-138-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/4336-137-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/4452-169-0x0000000000000000-mapping.dmp
-
memory/4584-154-0x0000000000000000-mapping.dmp
-
memory/4768-194-0x0000000000000000-mapping.dmp
-
memory/4904-165-0x0000000000000000-mapping.dmp
-
memory/4920-133-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/4920-132-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/4920-149-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB