Analysis
-
max time kernel
22s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2023 11:55
Behavioral task
behavioral1
Sample
Panda Regedit/Guna.UI2.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Panda Regedit/Guna.UI2.dll
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
Panda Regedit/Panda_Panel.exe
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Panda Regedit/Panda_Panel.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral5
Sample
Panda Regedit/Panda_System.exe
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
Panda Regedit/Panda_System.exe
Resource
win10v2004-20230831-en
General
-
Target
Panda Regedit/Panda_Panel.exe
-
Size
889KB
-
MD5
89a318e3f4ab22a7d59e788628fc4f8c
-
SHA1
05fd6065f8ff1f356c352ce836bcd25f861a85bf
-
SHA256
97815efda6c181706b97f3a030a3c0bbc481a5ebb7062ae84b1d2f38c6dd8d41
-
SHA512
3d0172cedf9b0ef9f859f9eb8426144350adc32258504227749e2a3c6a07ec151123f19f3180edfb5ea4ddfe90c59ffd7297403995da7ba82a0ee29531a81baa
-
SSDEEP
24576:hFfISEtqavW9da+xzd6IMYLpWvKFFfFfI:D1javWD7nZp/FFV
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/960950114506137713/2VnEvTnRUjX3Q7jSvAeHvgUeWoeWrHD-r2E7c3d8XPPxFaj_tSm0MlikzmnIxO4nnsn0
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
Panda_System.exePanda_System.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Panda_System.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Panda_System.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
Panda_System.exePanda_System.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Panda_System.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Panda_System.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Panda_System.exePanda_System.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Panda_System.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Panda_Panel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation Panda_Panel.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 ip4.seeip.org 29 ip4.seeip.org 30 ip4.seeip.org 31 ip4.seeip.org 33 ip-api.com 45 ip4.seeip.org 49 ip4.seeip.org 56 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Panda_System.exePanda_System.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Panda_System.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Panda_System.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Panda_System.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Panda_System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2236 4496 WerFault.exe Panda_System.exe 4536 5096 WerFault.exe Panda_System.exe 4832 5072 WerFault.exe Panda_System.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Panda_System.exePanda_System.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Panda_System.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Panda_System.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
Panda_System.exemsedge.exePanda_System.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Panda_System.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Panda_System.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Panda_System.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 2564 msedge.exe 2564 msedge.exe 4584 msedge.exe 4584 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 4584 msedge.exe 4584 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Panda_System.exePanda_System.exedescription pid process Token: SeDebugPrivilege 4496 Panda_System.exe Token: SeDebugPrivilege 5096 Panda_System.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Panda_Panel.exemsedge.exemsedge.exedescription pid process target process PID 2688 wrote to memory of 4496 2688 Panda_Panel.exe Panda_System.exe PID 2688 wrote to memory of 4496 2688 Panda_Panel.exe Panda_System.exe PID 2688 wrote to memory of 4584 2688 Panda_Panel.exe msedge.exe PID 2688 wrote to memory of 4584 2688 Panda_Panel.exe msedge.exe PID 4584 wrote to memory of 4752 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4752 4584 msedge.exe msedge.exe PID 2688 wrote to memory of 5096 2688 Panda_Panel.exe Panda_System.exe PID 2688 wrote to memory of 5096 2688 Panda_Panel.exe Panda_System.exe PID 2688 wrote to memory of 4316 2688 Panda_Panel.exe msedge.exe PID 2688 wrote to memory of 4316 2688 Panda_Panel.exe msedge.exe PID 4316 wrote to memory of 4424 4316 msedge.exe msedge.exe PID 4316 wrote to memory of 4424 4316 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 4944 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2564 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 2564 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe PID 4584 wrote to memory of 884 4584 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_Panel.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4496 -s 20883⤵
- Program crash
PID:2236
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/WYNH3S6Q2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f6e446f8,0x7ff8f6e44708,0x7ff8f6e447183⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:83⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:13⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:13⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:13⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:13⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:13⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3832 /prefetch:83⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,3662077147942911130,17651309919063552047,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2336 /prefetch:83⤵PID:3412
-
-
-
C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5096 -s 20683⤵
- Program crash
PID:4536
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/WYNH3S6Q2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f6e446f8,0x7ff8f6e44708,0x7ff8f6e447183⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,222478347263211094,895264378195219973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:33⤵PID:4832
-
-
-
C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"C:\Users\Admin\AppData\Local\Temp\Panda Regedit\Panda_System.exe"2⤵PID:5072
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5072 -s 20723⤵
- Program crash
PID:4832
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/WYNH3S6Q2⤵PID:4192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff8f6e446f8,0x7ff8f6e44708,0x7ff8f6e447183⤵PID:4372
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:60
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2024
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4496 -ip 44961⤵PID:4448
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 5096 -ip 50961⤵PID:4448
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 5072 -ip 50721⤵PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD546d80fe7e8c5ef260f662b1b687d8777
SHA1d7b79b4f72931e455eb8ea15e84b410013bc8f10
SHA256ea148ce44cc34b8f99a7381cb58b76bc2a7e7ab435b7d8b807b5095ff094299d
SHA512b9009eda79b0da2e5d045c2bb1e2b8604b7167045dc423d43401d0e5db706205be93c95610fbdd9e91563582e16e757763dcf235cd6890e5255e95c4454e6d9b
-
Filesize
536B
MD5a9167c7a5fb08c47dcdc9e8e12acf8e5
SHA1a4be9358b7afc207787fff520843dd79f80c07ac
SHA256abdb10450150d8005f5b4ec08800788cc59f62e355c67d12c96c270ca320895b
SHA512361cbc2d4018bbb63d71ce2f43dfdbb2552daa201206a277dad2b4580782baace39d8e09435a767d77d6084272190272dfc36e46932ff1c2a45dd1967e2cd984
-
Filesize
6KB
MD51e5d3fbdaa95ea7cb1bef60665279f2f
SHA1f81fd51a0760a2df0daf6fd1a39cb3e423f85de4
SHA256504fdbe06c01f4c463f6359856c3435e628c6b191c41cb9ab766a0161a959678
SHA5128764414d388731537a172445852119e764111cfc4042d343a2727945a86de8d893da67d59944e90e39306b5fc69962a399dab1cf0bebd95e0e7828c6007f2ba7
-
Filesize
5KB
MD5a6b3c1e0f0d62c4a9d72c7f91de87b05
SHA1c3db6ee4ab56f927560321c09f90fbed7c0b009f
SHA2564efe2a41c857de757fba8a5e61f99ef2f4d0ae651aebb1255cf4718cb074a57b
SHA512da3e1c326660678f1c67044eb1d91117ec9b68a06382706f7984aaccb5b855581be10e1fc2104175dce35e83c2711c45acdb81833058d64a4cf28b85843beba8
-
Filesize
24KB
MD54994b56e9f61db1c1a6f54be60a67e09
SHA1c3c0402d8966a1dc0e4e2e2708198b526844e4cc
SHA256078187574b3190652720cf78177d7bf300dfb359c3e783d8f57e7817c36c62b4
SHA512ac9553479639e4a4d2ff2d25920f4fc568584a242cae18f3dbe3db050aaad3d8600c17f3f5bbc27853d4f7dbbe50a50a2cabe9a9459fbb6918e8e4ec34559ca7
-
Filesize
2KB
MD58a0fceb91cc0870895778848cf74b297
SHA170041c83e8988c8df752508e9bd4640d13232520
SHA25672da4aa38965ae9f03a5f235d9d6c9f2b3b4d8af748c093db7850663c98effaa
SHA5125bb5adab0d2cbd786a78450bcc0380ec33f640538f5446c5a1a70e53173b8e15c3943de5596553076f29e3b804308ad173ff6f17e19442a85697a4b177c4c11d
-
Filesize
10KB
MD5e90039b9903f4540490e64586eea72bf
SHA1e6cbeb1479d8a66ec0fcb7de56e719bcffff1dc3
SHA25612376794ef2060d33af37316ef9bda4a5c07f21498f4a5878e7fcdc40ad66791
SHA512f87687a0fb5385d9b0c9c15462fc91ae40d8af234a63d52da0b024de154ae8082125ac288f89d5ab7640cbd3012c9e9dbd1223d20d54763a48f7aa7cf79b2e97
-
Filesize
2KB
MD58a0fceb91cc0870895778848cf74b297
SHA170041c83e8988c8df752508e9bd4640d13232520
SHA25672da4aa38965ae9f03a5f235d9d6c9f2b3b4d8af748c093db7850663c98effaa
SHA5125bb5adab0d2cbd786a78450bcc0380ec33f640538f5446c5a1a70e53173b8e15c3943de5596553076f29e3b804308ad173ff6f17e19442a85697a4b177c4c11d
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e