Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:25
Static task
static1
Behavioral task
behavioral1
Sample
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Resource
win10v2004-20220812-en
General
-
Target
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
-
Size
993KB
-
MD5
6d344a5398d29561c114a95da3eee85c
-
SHA1
d90b3e5bf309af06d1dd87c7f79f50d3d322ba5c
-
SHA256
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e
-
SHA512
cefa627232b75149b13fe099d840481daf84d8fcd8e684975b2873c7d0bc42fd4ded8a35303f960ea525ad8d35d772fca1023ececce10f7fc6f32a2b07a021e8
-
SSDEEP
12288:guEbpKb7E7d4Z2gzo5ddjwRLo1UaiZWacmVjy0fIKtklOefmMLzrWS/hJpoUHn:gdKbw7dM2gcxoEQ5W4WlqSj
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral2/memory/2676-144-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral2/memory/5072-160-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral2/memory/2676-144-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5072-160-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 whatismyipaddress.com 17 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exedescription pid process target process PID 3744 set thread context of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 1028 set thread context of 4128 1028 takshost.exe takshost.exe PID 4128 set thread context of 2676 4128 takshost.exe vbc.exe PID 4128 set thread context of 5072 4128 takshost.exe vbc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129210134.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\45c0ee9f-9b61-4660-8b95-1f8075f25629.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exevbc.exemsedge.exetakshost.exeidentity_helper.exemsedge.exepid process 1972 msedge.exe 1972 msedge.exe 5072 vbc.exe 5072 vbc.exe 3236 msedge.exe 3236 msedge.exe 4128 takshost.exe 4128 takshost.exe 2304 identity_helper.exe 2304 identity_helper.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3236 msedge.exe 3236 msedge.exe 3236 msedge.exe 3236 msedge.exe 3236 msedge.exe 3236 msedge.exe 3236 msedge.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exepid process 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exedescription pid process Token: SeDebugPrivilege 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe Token: SeDebugPrivilege 1028 takshost.exe Token: SeDebugPrivilege 4128 takshost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 3236 msedge.exe 3236 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
takshost.exepid process 4128 takshost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exed47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exemsedge.exetakshost.exedescription pid process target process PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1808 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 3744 wrote to memory of 1028 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 3744 wrote to memory of 1028 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 3744 wrote to memory of 1028 3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1028 wrote to memory of 4128 1028 takshost.exe takshost.exe PID 1808 wrote to memory of 3236 1808 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe msedge.exe PID 1808 wrote to memory of 3236 1808 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe msedge.exe PID 3236 wrote to memory of 3996 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 3996 3236 msedge.exe msedge.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 4128 wrote to memory of 2676 4128 takshost.exe vbc.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe PID 3236 wrote to memory of 4340 3236 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe54bb46f8,0x7ffe54bb4708,0x7ffe54bb47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6ba115460,0x7ff6ba115470,0x7ff6ba1154805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3348 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe54bb46f8,0x7ffe54bb4708,0x7ffe54bb47184⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
\??\pipe\LOCAL\crashpad_3236_OEKIYWOHKEHMPKZMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1028-137-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/1028-140-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/1028-135-0x0000000000000000-mapping.dmp
-
memory/1076-166-0x0000000000000000-mapping.dmp
-
memory/1436-172-0x0000000000000000-mapping.dmp
-
memory/1808-133-0x0000000000000000-mapping.dmp
-
memory/1968-180-0x0000000000000000-mapping.dmp
-
memory/1972-151-0x0000000000000000-mapping.dmp
-
memory/2044-154-0x0000000000000000-mapping.dmp
-
memory/2112-168-0x0000000000000000-mapping.dmp
-
memory/2304-187-0x0000000000000000-mapping.dmp
-
memory/2372-189-0x0000000000000000-mapping.dmp
-
memory/2676-144-0x0000000000000000-mapping.dmp
-
memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2900-176-0x0000000000000000-mapping.dmp
-
memory/2916-174-0x0000000000000000-mapping.dmp
-
memory/3236-142-0x0000000000000000-mapping.dmp
-
memory/3500-155-0x0000000000000000-mapping.dmp
-
memory/3744-132-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/3744-136-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/3968-178-0x0000000000000000-mapping.dmp
-
memory/3996-143-0x0000000000000000-mapping.dmp
-
memory/4128-138-0x0000000000000000-mapping.dmp
-
memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/4128-141-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/4128-156-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/4340-150-0x0000000000000000-mapping.dmp
-
memory/4448-157-0x0000000000000000-mapping.dmp
-
memory/4620-182-0x0000000000000000-mapping.dmp
-
memory/4728-184-0x0000000000000000-mapping.dmp
-
memory/4844-191-0x0000000000000000-mapping.dmp
-
memory/4912-186-0x0000000000000000-mapping.dmp
-
memory/5020-185-0x0000000000000000-mapping.dmp
-
memory/5020-192-0x0000000000000000-mapping.dmp
-
memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5072-160-0x0000000000000000-mapping.dmp