Overview

overview

8

Static

static

7

Half-open_....2.exe

windows7-x64

8

Half-open_....2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2023, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Half-open_limit_fix_4.2.exe

  • Size

    360KB

  • MD5

    f35d7d71ca9764a02a3ee4876c0be0f5

  • SHA1

    f1a25502e86ba9babb9d22bcfe165668f936b329

  • SHA256

    bb59a39a6db7a08ebe4cdf80bdf044c8056a09210076336b141c514506f39472

  • SHA512

    b1485c7f4508e783d53fd0c87ed940ca552bf9333420f877833fdb2c81bba87a1d6d9d5d6d2867d8b769282c786420988f16c3a4eaf17fee2b428f34cd4082c0

  • SSDEEP

    6144:C4vctX8ORFpVO8YksvQJ2Txvu6lRcRK05qzdUKEbKU5jwU3IIazQw55+/:CljpVO8YksvQJ2T5u6li5qBEbKWwQII9

Score
8/10
discoveryexploitupx

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Possible privilege escalation attempt 24 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 24 IoCs
    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Half-open_limit_fix_4.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Half-open_limit_fix_4.2.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3400
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3516
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3112
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3508
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:984
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1820
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4948
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2864
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3680
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2352
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4924
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4968
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4412
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1984
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1848
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2472
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1680
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4548
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4676
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd41b46f8,0x7ffcd41b4708,0x7ffcd41b4718
        3⤵
          PID:2300
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
          3⤵
            PID:3548
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3428
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 /prefetch:2
            3⤵
              PID:4172
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
              3⤵
                PID:3068
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                3⤵
                  PID:1380
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
                  3⤵
                    PID:320
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                    3⤵
                      PID:4612
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
                      3⤵
                        PID:5004
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                        3⤵
                          PID:3176
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                          3⤵
                            PID:2228
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
                            3⤵
                              PID:708
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
                              3⤵
                                PID:4140
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4816
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
                                3⤵
                                  PID:452
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                                  3⤵
                                    PID:3668
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                                    3⤵
                                      PID:4776
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
                                      3⤵
                                        PID:4900
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,16563434736550326644,2864808403091720013,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3216
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4596
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1464

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        f95638730ec51abd55794c140ca826c9

                                        SHA1

                                        77c415e2599fbdfe16530c2ab533fd6b193e82ef

                                        SHA256

                                        106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

                                        SHA512

                                        0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
                                        Filesize

                                        19KB

                                        MD5

                                        b49848062e1daf78ba945c54da5da273

                                        SHA1

                                        529cc7ad493b0ae7ffcbd859aa9890ec6c8afb6a

                                        SHA256

                                        67150f97072fecff29bc2527ace4b0bcf007e2731a73079ff997873663114f8d

                                        SHA512

                                        87f2b972c37cff75e050695ce50d5083568007ac8dee0352bb0691f4ea735d9abe49985737becbf28316b049805ac65b21b5a7d7120dcca421ce89ffbdde22f5

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                        Filesize

                                        384B

                                        MD5

                                        284400c38437034ffcf41d0938961579

                                        SHA1

                                        93e5463a4ae3822320956c99c3994bf678931e60

                                        SHA256

                                        bffbdb77ead7ac8c369d0bf31db56deb127ba9cc55b32ab341a44adf088d6f1d

                                        SHA512

                                        1a0f5762f1660d52007919630d2a4f5e313a8d5fb47d9e044cef2fc7993eb0fddee77a94aab2e92184985c7681b969725dc162c5f96147ac04addfd47429f513

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                        Filesize

                                        111B

                                        MD5

                                        285252a2f6327d41eab203dc2f402c67

                                        SHA1

                                        acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                        SHA256

                                        5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                        SHA512

                                        11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                        Filesize

                                        2KB

                                        MD5

                                        a16ebeeee29940e39cd84780fa3e974d

                                        SHA1

                                        621d20b14bcdf98bef7ea64139f2da352f18d820

                                        SHA256

                                        1e09a4027d28256d3724a5d0a8f42baee1ccb68dc2fd53f31ce6a9505dfbfaa9

                                        SHA512

                                        e3a6939ad9183a6965155815b9f0e1b8b96b5398f11a0c42dace4cbb167c7fd5de9d591644fe3944453a7de3166072d19a2ffdc3e596992105501e1190c40cc7

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        52f6dbef3f495b204ff25fac43555f5f

                                        SHA1

                                        464775b4ee440f23284f2f95c4bce686e61d1458

                                        SHA256

                                        52d3cddb2a5c4deb54f8614ed62850fdfd79a636d7441eb1f288702502505f79

                                        SHA512

                                        22ca51265421497c4c8f5d7e29f0fc8edf0eb36abd384222bef101b6ed05f2f0a52160512f5cf83c80ffea52ef0f5cce14491fbd5f6ae6305a914c41f94891e8

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        19a5bc6628f17c1c523412da9a37c773

                                        SHA1

                                        544312ad19c10b4510d8c355e751bfaad13436be

                                        SHA256

                                        4af76cba35875b8095eb3cc141270ef188ca6d4d0d93e84a331e409ac913365a

                                        SHA512

                                        1afcba618201ca13df439c30e9b93547a78990f62da06f4ddcf9f38a992fc6ddaa17f763858ec63543a21948fd0c79c4a2a6eb56167ae20d4c43da17ab67b8e4

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                        Filesize

                                        24KB

                                        MD5

                                        4a078fb8a7c67594a6c2aa724e2ac684

                                        SHA1

                                        92bc5b49985c8588c60f6f85c50a516fae0332f4

                                        SHA256

                                        c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

                                        SHA512

                                        188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        460b89b791ab61162c93616d236f2182

                                        SHA1

                                        a9507be9cc5c64e8d9d06fe01453cbbf80f8fb50

                                        SHA256

                                        972a8a05f597cd41227d87ad43f8ddd29bf40952f8e935572fb0903ec73e08c4

                                        SHA512

                                        66c5f6ff1e942aa0c1ab565a1a45b44e23a6d78e1bff511f76071b311905b385dc819ea9177c0bec4fe3b3afa239d12258bf675bb187238ba7161fde9b50a02a

                                        Download Submit

                                      • C:\Windows\System32\de-DE\user32new.dll.mui
                                        Filesize

                                        19KB

                                        MD5

                                        f8d6dd4349b7f240c6cd4d04d21657f7

                                        SHA1

                                        744e7220be770ddce55fc6242fa3c5547725fcd7

                                        SHA256

                                        bd2c70e7e8720942b4bc3020929b894bfbe5e9d97082a821272b73f5d480e9b3

                                        SHA512

                                        96f3e427b735a63b49c07e7f14754b996324a58cc15cf99e55c1ba1555dfdbeb7734719b06d4a95c322b3a9bb31c0bb192d78b06981c03ba0678538dd4890f4f

                                        Download Submit

                                      • C:\Windows\System32\en-US\user32new.dll.mui
                                        Filesize

                                        17KB

                                        MD5

                                        90b43ec7eb2e379561b0efd0d93342bb

                                        SHA1

                                        efdc5321144229a02e2347ae71ef1e9a869d8d3c

                                        SHA256

                                        6921a8d82bd3586df770d2854dc9c538f6de996a64c63c29e31b1e84be040f4a

                                        SHA512

                                        5cc5f9045c90e8fd7d0ddbc242ef64df71b10e36c3a6e5d25db8dbc2608aa3ec48b2a6b71686fa4646e40eefec700e0b2c324e8bde7da9239be98f1416a58e4e

                                        Download Submit

                                      • C:\Windows\System32\es-ES\user32new.dll.mui
                                        Filesize

                                        18KB

                                        MD5

                                        88e058f2f65a9ecfc4023f5d6512bfee

                                        SHA1

                                        c3a86890e1560d33309c0e019d573855028a811b

                                        SHA256

                                        a0fc551bc1fe60ecedc79c387a3311f9879d1f69509e61c6a6e472534d7b4448

                                        SHA512

                                        e51ac8a044bd5a0de3eb5128efccaa04ee54c5578c698b00bef3ffd9094e51e550b757916af4e7992407019614fd816dd9d78231b6821813bf3e9b4e217f807d

                                        Download Submit

                                      • C:\Windows\System32\fr-FR\user32new.dll.mui
                                        Filesize

                                        19KB

                                        MD5

                                        3996e9a5f0cc85e93aa7ade49a892c5e

                                        SHA1

                                        fa2b4d88bc4b2efb7acd13a83003ec23c44c2664

                                        SHA256

                                        39519ade42cac753b5fd8586786e292ada3c4910041353b31730fa3079801c21

                                        SHA512

                                        99a84f565c0c730472ebb7940c260460f54b1c88c446c3869ce5e889f4fd14230b40c6267de751d93a3e1882d6ac6cd29a6026591aebb3600caa7b508bd5d414

                                        Download Submit

                                      • C:\Windows\System32\it-IT\user32new.dll.mui
                                        Filesize

                                        18KB

                                        MD5

                                        c99c413b13017aa89431469764aab8cd

                                        SHA1

                                        a556fc89f96414c3d2b262841b207065a5e205c9

                                        SHA256

                                        da174e40ddc8260b809f6331a2d3aa37daa108acd09aef38048432bd1ca283f7

                                        SHA512

                                        da93ae0f081900c612c66967c27baf19b2d2054462971887d295b3db3ca5c1e5dbfd92bd258c4acc683b7ea3414466ded4d6ae85464a4eca7e08029fb4c1d615

                                        Download Submit

                                      • C:\Windows\System32\ja-jp\user32new.dll.mui
                                        Filesize

                                        13KB

                                        MD5

                                        e69bdd36a3eb328b1af034c72f160495

                                        SHA1

                                        7615ada4ae284c46dd7ae5212e336aef597814ca

                                        SHA256

                                        9c8c73bd07a703b1561e611e8e0754e3070aca9780069016061986550c3da772

                                        SHA512

                                        f6fb9b3936b856548d2a728506898556048e0708be7803b50a12063db39943f9ebb5013a8f670e3e1c2ce1f4865b7cc6470c3b87bc01957b8749305cc4cc2ec8

                                        Download Submit

                                      • memory/4312-109-0x0000000000400000-0x0000000000525000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/4312-108-0x0000000000850000-0x0000000000851000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4312-106-0x0000000000400000-0x0000000000525000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/4312-0-0x0000000000400000-0x0000000000525000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/4312-1-0x0000000000850000-0x0000000000851000-memory.dmp

                                        Filesize

                                        4KB

                                        Download