Overview
overview
10Static
static
374ff3f608e...bd.exe
windows7-x64
774ff3f608e...bd.exe
windows10-2004-x64
10$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
10$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
10$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:42
Static task
static1
Behavioral task
behavioral1
Sample
74ff3f608e7fc220cc939070f1bca6bd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
74ff3f608e7fc220cc939070f1bca6bd.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20231129-en
General
-
Target
74ff3f608e7fc220cc939070f1bca6bd.exe
-
Size
320KB
-
MD5
74ff3f608e7fc220cc939070f1bca6bd
-
SHA1
eba039dc499ba02641577be93b42ed38f9cfa552
-
SHA256
126e5553fc40e4ecd36dbbedfbb39cced9b956b224122fe9df25f5d86081628f
-
SHA512
f372441f60f01663e9cc51377a30acc4b1cbd88aa7e9babfcb9c0bc37163055c76a5991226cbd2a40704f8cd0e664fc51a78b2fb2ae3fd05d8a2fc8dbb6977a4
-
SSDEEP
6144:Uhi2CEx7BzUxW0pA+4ouO+5DiJUMMJyJi:UhtsW0L4ouuUMMJ+i
Malware Config
Signatures
-
Loads dropped DLL 11 IoCs
Processes:
74ff3f608e7fc220cc939070f1bca6bd.exepid process 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe 1752 74ff3f608e7fc220cc939070f1bca6bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 5016 msedge.exe 5016 msedge.exe 2384 msedge.exe 2384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1668 identity_helper.exe 1668 identity_helper.exe 728 msedge.exe 728 msedge.exe 728 msedge.exe 728 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74ff3f608e7fc220cc939070f1bca6bd.exemsedge.exemsedge.exedescription pid process target process PID 1752 wrote to memory of 1384 1752 74ff3f608e7fc220cc939070f1bca6bd.exe msedge.exe PID 1752 wrote to memory of 1384 1752 74ff3f608e7fc220cc939070f1bca6bd.exe msedge.exe PID 1384 wrote to memory of 4952 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4952 1384 msedge.exe msedge.exe PID 1752 wrote to memory of 2972 1752 74ff3f608e7fc220cc939070f1bca6bd.exe msedge.exe PID 1752 wrote to memory of 2972 1752 74ff3f608e7fc220cc939070f1bca6bd.exe msedge.exe PID 2972 wrote to memory of 3232 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 3232 2972 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 4432 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2384 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2384 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3512 1384 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ff3f608e7fc220cc939070f1bca6bd.exe"C:\Users\Admin\AppData\Local\Temp\74ff3f608e7fc220cc939070f1bca6bd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/earth/download/ge/agree.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff839aa46f8,0x7ff839aa4708,0x7ff839aa47183⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:83⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:2588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵PID:1440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:13⤵PID:3704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:13⤵PID:3012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:13⤵PID:2572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:83⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:13⤵PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:13⤵PID:1604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:13⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:13⤵PID:1828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10433950027094849440,12113840440052233648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://downloadactivation.com/thanks?offer=maps&reason=complete&adprovider=google_MyDrivingDirections.co&subid=google_maps-search-us-maps-exact-49718410167&user_id=fcc08ddc-b810-40d7-b58e-55a5a0e2e65a&red=https://www.google.com/maps/dir/1812westwoodave,springdale,ar/leavenworth,ks2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff839aa46f8,0x7ff839aa4708,0x7ff839aa47183⤵PID:3232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,835440837476596709,5974424987234578648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,835440837476596709,5974424987234578648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:1216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD559a60f67471b83691714b54bb462935c
SHA155de88c4d7d52fb2f5c9cb976d34fdc176174d83
SHA256b2c8e6719dba039dabcd8f27cd15466e7ba5335d2a87066129c7860b124d2ed3
SHA51204a52ce294c128dc495031e376f3ccb84ccdee6f38e972e3f0d7a10e6db4edbad2381ec1d052759d756ac66761ca42524c83baaf2acfe731e510a022e40e27bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fa070c9c9ab8d902ee4f3342d217275f
SHA1ac69818312a7eba53586295c5b04eefeb5c73903
SHA256245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
192KB
MD55036f7c363373f5d9cc2b6519806feae
SHA13caf2148a2eb7c82f9aff0f3a2f4594ee70327bf
SHA256715c5d3e3839c1b47c3008e8a89f929e60858ee379724a20775003c692e9fd6c
SHA5124661cd6fb02dccc48a42fe127b1e88f7e794cd4eb1d8a5a8f5075f772dad63211efa349bab579c5bb81bfb2c4b1be201c6725a56f617f8913a2235e3565fe645
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
312B
MD501e8b8385acb0ea63d6d8d2a951485ae
SHA17ef5e6143afc1f8915a773f9f5cd1e2545e36f40
SHA2564b71077107ed8a6e94b347cad3e830167585a5f9346cdefc10b8120736d993c3
SHA51228e995f5665a8ebdb251391623a2dd6dc16a9ecd673d1c8dbc232706dd3e58568ed3cfc1287a44c87a6d6bf16f980356843f6df4366c1aab98695ba87211e906
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5b12d358fdb3da978e423beea336f33c8
SHA1133d0830ff7bc5572bff4395837336b80f2408a3
SHA256c7d9cd5da1c4ae0969c730c5853d5311afd3bb65125cfe60f36e60319a4eb176
SHA5120c658660a5eb3529d00f1924e986d2f49d04925497460aa086c67fecf01c225d21216997463f3d50e65cc0a0b26cf603dac3b212854d9c3ed154226532605c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5c4dec612de8c7f2b62356584d8b1481b
SHA13f8db68df53507c168fcb6beec1e0ca68d86c9aa
SHA256bfcdfc816c821f9529e1f1e875e36c9aa72d4834081c1a7fbec97cac2dc0fb3f
SHA5127f26d4b669afb55d807f06a57ebabd8edeb86b927a0ea6ffcf2c2d632d32b52d6899f46d728f5224dd19542e0dce6742b112c681ed15170674ed7f6786c374e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58e998e0ed5fe3f87389c67814f87b5a6
SHA1f7dbdca52e278015c534995bf552890cac4fad8f
SHA256d0820386070712d5e5cd0e9a040aa13a7926e465c168a0a74ce13c65fe788eeb
SHA512c1853cb9dde15361bc99d77e729dce5c820ae57ca96b235f675879a175c2aaf3753c2a9224f38f29f62190a3bb6c3b53fb1d37b5c9d70030f0ae994211276b45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5917dedf44ae3675e549e7b7ffc2c8ccd
SHA1b7604eb16f0366e698943afbcf0c070d197271c0
SHA2569692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA5129628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52ee1e50b23ecbe4b569518751007c026
SHA175c88f07e5b5b189986e4210702eb37d076d6296
SHA2566cd3eb7b8f6c59022f084121523669714ba05aa9fd412ea465302505322ee931
SHA5127bdc4c99d0f04cce96d3508f71002e0b9b847690c32f18e2e2c84e8f94141cda77b8e162329ed60eb463ba73e01b6c17f5a42b1208cf3481d5beb359e46de20b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD59c5887e36ca8bbaf0635cde8142a8e84
SHA184ef09bf0a6744b2e1fb5685a9cf754f07812672
SHA256dc4dcdf640d89c870d58a7d2604a4d5e82d51bbf75e1b78ab4d694b9bd5d0cee
SHA512b5a83c7dcd740b035bbbe91c4b2305b1ab0604b85f8e0f64bc305bc1595cc32d2d8b1ecad9119fe8d8ae29fc444e606d398e927c5530e8d0757290d5866a1246
-
C:\Users\Admin\AppData\Local\Temp\nsnCD34.tmp\inetc.dllFilesize
24KB
MD51fc1fbb2c7a14b7901fc9abbd6dbef10
SHA14d9ed86f31075a3d3f674ff78f39c190a4098126
SHA2564f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
SHA51276d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2
-
C:\Users\Admin\AppData\Local\Temp\nsnCD34.tmp\nsExec.dllFilesize
6KB
MD51128ee61dffa0a97d30b2f828235b289
SHA1b552f3d4f13894f2f30fb446893093ca78fe149c
SHA2561e33decac84bdd2b3a651c969258f8e6c90616e9ec35de6ab4f402709555ce4c
SHA512d470356be436997fc53c17b8546cc80b187538ad2f258788761b92c28d91ef733fe6d8b3b33c353d84d1e0ae089207efd1ebfde33a6d33d5a341960e7bcfc8f5
-
C:\Users\Admin\AppData\Local\Temp\nsnCD34.tmp\nsisdl.dllFilesize
15KB
MD5dd893b05df4fae0be652dfb188cd02d1
SHA1a93eed746ad7c87e84e95594b928236eac4c6aed
SHA256334697f5ae532cbd6274a17f2009d21acdece8e21735cb16cf2c09262be7cfa2
SHA512baaa24e1deea742298ed4a361f70b568106fe462b71689b6394daa805ae898f246b4d417a176f66aec192ae0d64bafee555bb95388e02d3304b4a73a2f2f42f4
-
\??\pipe\LOCAL\crashpad_1384_DYCFOFPBQCHZXKDYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e