Analysis
-
max time kernel
503s -
max time network
508s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 15:38
Behavioral task
behavioral1
Sample
LafameBeta.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LafameBeta.exe
Resource
win10v2004-20230220-en
General
-
Target
LafameBeta.exe
-
Size
45KB
-
MD5
a7f473e14b7c3e56561ff51f87b2f279
-
SHA1
799bb3816916db3e6e92ff665c34e020cf444859
-
SHA256
05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361
-
SHA512
eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69
-
SSDEEP
768:TuERVThg5RXWUr/+1mo2qD84lNVx1VEHUPIKFjbmgX3inm6AhL1uQHQoBDZTx:TuERVThaa2AlQKNb5XSTApHdTx
Malware Config
Extracted
asyncrat
0.5.7B
COM Surrogate
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1604
127.0.0.1:14576
127.0.0.1:15074
4.tcp.eu.ngrok.io:6606
4.tcp.eu.ngrok.io:7707
4.tcp.eu.ngrok.io:8808
4.tcp.eu.ngrok.io:1604
4.tcp.eu.ngrok.io:14576
4.tcp.eu.ngrok.io:15074
7.tcp.eu.ngrok.io:6606
7.tcp.eu.ngrok.io:7707
7.tcp.eu.ngrok.io:8808
7.tcp.eu.ngrok.io:1604
7.tcp.eu.ngrok.io:14576
7.tcp.eu.ngrok.io:15074
COM Surrogate
-
delay
3
-
install
true
-
install_file
Microsoftfixer.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2008-133-0x0000000000100000-0x0000000000112000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe asyncrat C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LafameBeta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation LafameBeta.exe -
Executes dropped EXE 1 IoCs
Processes:
Microsoftfixer.exepid process 4912 Microsoftfixer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\723db4b2-603c-44a1-9e01-50f6adbff277.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230321164010.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2396 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2172 NETSTAT.EXE -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LafameBeta.exetaskmgr.exepid process 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2008 LafameBeta.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
LafameBeta.exeMicrosoftfixer.exetaskmgr.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2008 LafameBeta.exe Token: SeDebugPrivilege 4912 Microsoftfixer.exe Token: SeDebugPrivilege 4912 Microsoftfixer.exe Token: SeDebugPrivilege 2808 taskmgr.exe Token: SeSystemProfilePrivilege 2808 taskmgr.exe Token: SeCreateGlobalPrivilege 2808 taskmgr.exe Token: 33 2808 taskmgr.exe Token: SeIncBasePriorityPrivilege 2808 taskmgr.exe Token: SeDebugPrivilege 2172 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LafameBeta.execmd.execmd.exeMicrosoftfixer.exemsedge.exedescription pid process target process PID 2008 wrote to memory of 4184 2008 LafameBeta.exe cmd.exe PID 2008 wrote to memory of 4184 2008 LafameBeta.exe cmd.exe PID 2008 wrote to memory of 4184 2008 LafameBeta.exe cmd.exe PID 2008 wrote to memory of 1220 2008 LafameBeta.exe cmd.exe PID 2008 wrote to memory of 1220 2008 LafameBeta.exe cmd.exe PID 2008 wrote to memory of 1220 2008 LafameBeta.exe cmd.exe PID 1220 wrote to memory of 2396 1220 cmd.exe timeout.exe PID 1220 wrote to memory of 2396 1220 cmd.exe timeout.exe PID 1220 wrote to memory of 2396 1220 cmd.exe timeout.exe PID 4184 wrote to memory of 3064 4184 cmd.exe schtasks.exe PID 4184 wrote to memory of 3064 4184 cmd.exe schtasks.exe PID 4184 wrote to memory of 3064 4184 cmd.exe schtasks.exe PID 1220 wrote to memory of 4912 1220 cmd.exe Microsoftfixer.exe PID 1220 wrote to memory of 4912 1220 cmd.exe Microsoftfixer.exe PID 1220 wrote to memory of 4912 1220 cmd.exe Microsoftfixer.exe PID 4912 wrote to memory of 4964 4912 Microsoftfixer.exe msedge.exe PID 4912 wrote to memory of 4964 4912 Microsoftfixer.exe msedge.exe PID 4964 wrote to memory of 4480 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4480 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 3588 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4928 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4928 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4940 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4940 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 4940 4964 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LafameBeta.exe"C:\Users\Admin\AppData\Local\Temp\LafameBeta.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DDF.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.whatsmyip.com/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffebb1f46f8,0x7ffebb1f4708,0x7ffebb1f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72afa5460,0x7ff72afa5470,0x7ff72afa54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2705011703588542938,14015332050396442925,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:15⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5efad1e676918288c3102c00c6ce96a36
SHA1a938f986c48ef5a3dc0973bf767b518694f72de0
SHA2566dbe3cda1c3e763185ad895d737a2fd0b2c5d1704dd12728bcc498165c402f61
SHA512f8efdfd540541f09619af4148613c6025a64419f388e3a6943db5d3f8eb55aaf537663e5a941bc7b64cdaa75c16ebed48047118b2094aa54eba2f231969e8005
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
432B
MD58b25ea45a9f305d64dfb31a3c8508a01
SHA156d7ba9bb4f1b6e2eb0629409068a7cbb6a1b95d
SHA256d594ed37296fdabbb0872f6d3a2ebaa965df1bce1c79980830f60bb361354ac6
SHA5125e2fa8168e575aad83f7dfea43c6eb62ab4aa97f5db5eaf0445fa99c646ebc3b3b14c4c5fc13d98964e2a286c34ff98c2d96e169907b66acb0a9715ae208ebb5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5483aa2bbd0f04ed7b98716095d7339f4
SHA16607d5ed871a7ac1bb7d5da9a68d62f1eb58a618
SHA256495de73b935b2187597b4869f8290e985963bbf5703e68ec96cfa44f96048739
SHA512e7f5969ee5d4aac80b7253967244498bd93796c3da5f5239c01b1babcf4e7253db6eab1a83563189c6df9e5b20059300bd62019ebc93f21f82e2aee066fd79e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD5e180d31a5f014ac66298f8a998795c6f
SHA16a6ebe3da620a322732fc5062e4903ba7295cb09
SHA2565c6814abcc715eccbfc9d304d8713bb712199f75a9afa38d46d4ca514fb1c841
SHA512313dfd8d336934708558c10bf9bc999107ff937f8e427d86b43e541d5b0d2e2b362b1a950f3a47e1dcfb6136d4f8cc1be673166e1143d27dd410f24d0674a4ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD560f6a085a1af167f2e8ee0de4cde99ed
SHA1a850e6d96a6e3e0dabee5ebdf53f8d83200a64db
SHA256d5a80a11946776e28d24e3c9eea6e2ad6ae915b965f8d73aaba5b3ccc1d8f7a6
SHA512c388baed6199fee8373612442b67a215b756efe2feee35e6b41b4dad50d6ff7c1c8cbad22a92213ebfc7b324a41e45b7d12c193dafcedfd6c26eac5344341e51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5143f51e201f206e81988408aa52dc6f6
SHA1f710cf77515e6b906043c6e1100240458f38de27
SHA256a12928cf2b33c5ea5186ebd40ea66efe09078a1650c2bf882f6754f4c8e1e270
SHA51282521db220321b25e155c71b3deb8760a81ca157cc97a8ca839b0255b0b37cf8d31a3400233226c80673207431cb948005e345b04e1fcb2bd98e2bdcd4b160e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD587031e0474c9f1cff18b242bab85e72e
SHA1256e6dce9047dd1197fd1aef8360ec03d524ac72
SHA256081e3e5e4d6718d558fcec1fe8250ee0d386d81bd047e2992ef5c01a927334f7
SHA51276fb467ad733bfb9ab99260a81bd9a8f17a8d73ba98b1597a0396b9ea26c36ccc8609a49be763417a14e24b77482e249b652a20ccb9d65fb1a673914b4dc5c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5117a05cad75d7519b7ab3a6984974a2a
SHA121552a2d5e01db9095b298daf08d7dc757e72dc5
SHA25619749b24e42ecdb571c93c5a98a405175ed99411bee81965cbd60b0816faf00d
SHA512955c35fce0b6112b6d636597397cf8dee47878a885df70aa5e13ab229707d097f1a0c55996c0ad8c7f8a651729d4c37ad56c8a3eb109fa4ad586907298fb4b53
-
C:\Users\Admin\AppData\Local\Temp\tmp7DDF.tmp.batFilesize
158B
MD5581582c5afae6b8009420f2bafdd8ddf
SHA1d33e2731eb0d50b8a14f94501ffffb13d59c34b8
SHA256b90f90dede9aba245af797a7a1687e9c88b2b872b58ba9bb4f83065c3e686674
SHA5120afd8802dd62887fc2160f52e7b841e17a6a78ecf8a06525ee94c0a305769aa288fb4016ba244e379c48bfdb7c934d6fb0fca862154bade203d65aa17b6888e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD51240c233770b26aaecec986c72642570
SHA11aac755856793fc2155c1ff5c906702793cbec48
SHA2565000616b07d5e1a667b889656ceba5e7af0b85580eec2ae9e360aeeded74f549
SHA5126a0086fb6708917cead85345f1ebd89563ec1384b65850cf717db759dcf97cb33903594b08753a32ae4a880235ed73ed0b43e36032c6ec46ca5a08385feafb50
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exeFilesize
45KB
MD5a7f473e14b7c3e56561ff51f87b2f279
SHA1799bb3816916db3e6e92ff665c34e020cf444859
SHA25605b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361
SHA512eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69
-
C:\Users\Admin\AppData\Roaming\Microsoftfixer.exeFilesize
45KB
MD5a7f473e14b7c3e56561ff51f87b2f279
SHA1799bb3816916db3e6e92ff665c34e020cf444859
SHA25605b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361
SHA512eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69
-
\??\pipe\LOCAL\crashpad_4964_MEHOBVISMDVLIFHJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2008-136-0x0000000005200000-0x000000000529C000-memory.dmpFilesize
624KB
-
memory/2008-133-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2008-135-0x0000000004DA0000-0x0000000004E06000-memory.dmpFilesize
408KB
-
memory/2008-134-0x0000000004B90000-0x0000000004BA0000-memory.dmpFilesize
64KB
-
memory/2808-148-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-156-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-147-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-149-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-159-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-157-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-158-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-153-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-155-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/2808-154-0x000001E245B40000-0x000001E245B41000-memory.dmpFilesize
4KB
-
memory/4912-163-0x0000000006B90000-0x0000000006BAE000-memory.dmpFilesize
120KB
-
memory/4912-160-0x00000000063B0000-0x0000000006954000-memory.dmpFilesize
5.6MB
-
memory/4912-162-0x0000000006BE0000-0x0000000006C56000-memory.dmpFilesize
472KB
-
memory/4912-146-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4912-145-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4912-513-0x0000000006ED0000-0x0000000006F62000-memory.dmpFilesize
584KB