Analysis
-
max time kernel
61s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 20:25
Behavioral task
behavioral1
Sample
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
Resource
win10v2004-20220901-en
General
-
Target
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
-
Size
3.4MB
-
MD5
a75a69c8e7d43c798214ecfe57397224
-
SHA1
5eea407838965192b0785ae08e7c7b4dbf900e33
-
SHA256
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2
-
SHA512
13cfcacf1c0fe8cb80a775394720fc1f77c14e36d187356ff9d60a37bd1cf0ff14f2a85780437981db5b1411218a1dbd85f93f4b1053d9196679a7d149949d5a
-
SSDEEP
49152:WelMheDwmXQVKk2rBkyD3RZDaCAxQs8VlIiWSk8hM0wGUsfisgEWmBMbLCDrYGE5:7L8ArGoaCls8VlIkkgMlGUkMqoX
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2012-136-0x0000000000B50000-0x00000000013D6000-memory.dmp family_stormkitty behavioral2/memory/2012-137-0x0000000000B50000-0x00000000013D6000-memory.dmp family_stormkitty behavioral2/memory/2012-158-0x0000000000B50000-0x00000000013D6000-memory.dmp family_stormkitty behavioral2/memory/2012-160-0x0000000000B50000-0x00000000013D6000-memory.dmp family_stormkitty -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Processes:
resource yara_rule behavioral2/memory/2012-136-0x0000000000B50000-0x00000000013D6000-memory.dmp themida behavioral2/memory/2012-137-0x0000000000B50000-0x00000000013D6000-memory.dmp themida behavioral2/memory/2012-160-0x0000000000B50000-0x00000000013D6000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exepid process 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 64 2012 WerFault.exe c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exemsedge.exemsedge.exepid process 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2544 msedge.exe 2544 msedge.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2836 msedge.exe 2836 msedge.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 2836 msedge.exe 2836 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe Token: SeSecurityPrivilege 3768 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exemsedge.exemsedge.exedescription pid process target process PID 2012 wrote to memory of 2316 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe msedge.exe PID 2012 wrote to memory of 2316 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe msedge.exe PID 2316 wrote to memory of 4584 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4584 2316 msedge.exe msedge.exe PID 2012 wrote to memory of 2836 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe msedge.exe PID 2012 wrote to memory of 2836 2012 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe msedge.exe PID 2836 wrote to memory of 2428 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 2428 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 32 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 2544 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 2544 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4624 2836 msedge.exe msedge.exe -
outlook_office_path 1 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe -
outlook_win_path 1 IoCs
Processes:
c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe"C:\Users\Admin\AppData\Local\Temp\c5ca3b412412cb576b80cd5ceabbf8997a1e8b7ad110545c4a0fbaece8acb4a2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa081a46f8,0x7ffa081a4708,0x7ffa081a47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:128562⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa081a46f8,0x7ffa081a4708,0x7ffa081a47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,7806100086743597737,16394439958241846502,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 /prefetch:83⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 25442⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2012 -ip 20121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51dde831b3f72227121241cfbcf0b8bfa
SHA1e076ca61127cce19e3495b3a0ae3dfdb8592effd
SHA256b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6
SHA5122ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b
-
\??\pipe\LOCAL\crashpad_2836_QGIYHGUVMJKEHYASMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/32-148-0x0000000000000000-mapping.dmp
-
memory/1964-154-0x0000000000000000-mapping.dmp
-
memory/2012-139-0x0000000005F80000-0x000000000601C000-memory.dmpFilesize
624KB
-
memory/2012-135-0x0000000077D50000-0x0000000077EF3000-memory.dmpFilesize
1.6MB
-
memory/2012-140-0x0000000006810000-0x0000000006DB4000-memory.dmpFilesize
5.6MB
-
memory/2012-141-0x00000000064B0000-0x0000000006542000-memory.dmpFilesize
584KB
-
memory/2012-161-0x0000000077D50000-0x0000000077EF3000-memory.dmpFilesize
1.6MB
-
memory/2012-160-0x0000000000B50000-0x00000000013D6000-memory.dmpFilesize
8.5MB
-
memory/2012-159-0x0000000077D50000-0x0000000077EF3000-memory.dmpFilesize
1.6MB
-
memory/2012-158-0x0000000000B50000-0x00000000013D6000-memory.dmpFilesize
8.5MB
-
memory/2012-138-0x0000000005AF0000-0x0000000005B56000-memory.dmpFilesize
408KB
-
memory/2012-137-0x0000000000B50000-0x00000000013D6000-memory.dmpFilesize
8.5MB
-
memory/2012-134-0x0000000000B50000-0x00000000013D6000-memory.dmpFilesize
8.5MB
-
memory/2012-136-0x0000000000B50000-0x00000000013D6000-memory.dmpFilesize
8.5MB
-
memory/2316-142-0x0000000000000000-mapping.dmp
-
memory/2428-145-0x0000000000000000-mapping.dmp
-
memory/2544-149-0x0000000000000000-mapping.dmp
-
memory/2836-144-0x0000000000000000-mapping.dmp
-
memory/4584-143-0x0000000000000000-mapping.dmp
-
memory/4624-152-0x0000000000000000-mapping.dmp
-
memory/4976-156-0x0000000000000000-mapping.dmp