Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
github-setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
github-setup.exe
Resource
win10v2004-20231222-en
General
-
Target
github-setup.exe
-
Size
58.1MB
-
MD5
37138f5563de22dc827639ca73063932
-
SHA1
ba6f56d95bd61cbfddbcb8c0e02d9c415fa6954d
-
SHA256
bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0
-
SHA512
a574ceaeb9c3d63c2b5c63d6451df4ba003cf090b8e9b4893b5d8d87c40123e519c4bf212bf3993e7930d846574d84df9fc94916beec826c9b7eaccc295c8ecd
-
SSDEEP
393216:e1+zCer/QHn+T97auZqB1Jno6L/edodWDJNVI+v:e1+zCekHn+T97auZqlo6Kdb1NVI+
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3764 created 2520 3764 BitLockerToGo.exe 70 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4864 set thread context of 3764 4864 github-setup.exe 115 -
Program crash 2 IoCs
pid pid_target Process procid_target 5088 3764 WerFault.exe 115 2428 3764 WerFault.exe 115 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{DC7BAFBE-1F0B-4288-87FB-486261EDF702} msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2484 msedge.exe 2484 msedge.exe 2180 msedge.exe 2180 msedge.exe 2320 msedge.exe 2320 msedge.exe 3736 identity_helper.exe 3736 identity_helper.exe 3764 BitLockerToGo.exe 3764 BitLockerToGo.exe 4568 dialer.exe 4568 dialer.exe 4568 dialer.exe 4568 dialer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2804 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2804 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2188 2180 msedge.exe 94 PID 2180 wrote to memory of 2188 2180 msedge.exe 94 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 716 2180 msedge.exe 95 PID 2180 wrote to memory of 2484 2180 msedge.exe 96 PID 2180 wrote to memory of 2484 2180 msedge.exe 96 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97 PID 2180 wrote to memory of 3100 2180 msedge.exe 97
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\github-setup.exe"C:\Users\Admin\AppData\Local\Temp\github-setup.exe"1⤵
- Suspicious use of SetThreadContext
PID:4864 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 4483⤵
- Program crash
PID:5088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 4603⤵
- Program crash
PID:2428
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8199e46f8,0x7ff8199e4708,0x7ff8199e47182⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3352 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4752 /prefetch:82⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9263681062152374009,6178245127325791291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:3096
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4664
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3764 -ip 37641⤵PID:2804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3764 -ip 37641⤵PID:1372
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51386433ecc349475d39fb1e4f9e149a0
SHA1f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5229a0f1634b7038629e9a4e31a60901e
SHA133b40b1b8a24dc90843faf5e9a27ddcca1ef9973
SHA256c8e534f13e8d9fede8d0e895bd355ee94b5b1d902b23cb31643d279e4f49d496
SHA512464ffef94bceedf2b7be42506f6404173b131b87bb41698fd7b2e7684e5336366b01a47410d1b494b2cdedc0a394ac648976322dbbe985e7b5e12ce13e561d14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5ce0b8f274a480df4b20db033a3b6ee8a
SHA1d224a8055d3fca01ff7b1052217c7e6e9590097a
SHA256c55f400715aec75c159ea732dd9b68bb8879fa82550a9445ccd94b035cde1054
SHA5122cf90d583a8927a118f5b906d52f035863f06db76ff15353a5dbd1fb7558c4098933020c9c96fb77d90e71c5116359e8476409e8b7544a3078103c81e1b0495b
-
Filesize
3KB
MD5fd3a6ef7ac2af81ba1512ab8ad7963e2
SHA11dea05e0fa5a80da483eaea672d65fec8ae53d99
SHA25652ea79e79fa6d763323f373184f7abe9d4c16ce0ee70748cb9a5230a9107855c
SHA5129a5d07392e26e2ce04dbc5254caff71c42562fc787937046ab3418f790309ef435dd51d52f457479a2f7104ce8eb3026da5e1aa0d9fda18147cf52e774d754c7
-
Filesize
5KB
MD5c65b9828150e7aa1042cc0f31b908004
SHA1fb1a40476456268c3194734773e62cee758c1840
SHA256b99c4a1477914f9e61f1e84b460b553e67b8c0d9cee916dac255b200b80d4972
SHA5122e2659fb3f82401ac007271999b59b9341b7d24a97ba1e2a836caa7a611a99b1cf15c0c8a3040f056e4daed1687a363c31813d2bfdb023a729d06b22159884eb
-
Filesize
8KB
MD5be0849e1493d965e43579ac0117ea639
SHA1f9125a68cc7c6c0fdaafa72ba24cc604fa37e558
SHA256b632c771b57b908355f0f191a7165a1f70a5623ed7affaca064b6a019b40d7b4
SHA51226eeb7fddd327343c09808c45256b116865feb0dabad83aea683dd4dd3d32290b7047aece43e48457a7924c09334e475ae064caa33be6b8a83a56c4131619d7e
-
Filesize
7KB
MD54ec115c5f74e777a77c1f4d04d6e29dc
SHA1309ac71f184820c2119143dac01eaca536724483
SHA256867f6df686e5a7d229fd4e896b40a92d8fe8c59de57dbc727afd6af17fe08042
SHA51295de23b94f0cc36e89f11bce517c62a0f7f9d1b96b5d36a7769566c27901cb2f8129678f4f86399345796d3a2627cd5ed958daeeb054452c9ce48c3739df0900
-
Filesize
7KB
MD59a6f4a813cb6950b1dbf5490151d6b60
SHA1aed3974636d18ab6ef735c026f5375e52f337513
SHA256f3d901432a2c3b1abbb4f356b06d9cabf595f1f7e72264cdc5fa1293225faefd
SHA51278a7a560d7da31f83958449ef243958ea67dd541e524e95f4bc0a901c709166efeec42c2130a27ff6dbe13a962a39a0f468e89aff3e17b93921c879398fdb7dc
-
Filesize
24KB
MD5e664066e3aa135f185ed1c194b9fa1f8
SHA1358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA25686e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA51258710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD58f4638c2ab8707a0ca9ea108519e3bb0
SHA1638fcb05f8faac9dedcb9c1baa93fdd3d65d3b8c
SHA25698f693b4f36411257ebc4d217dd09cbb80649478f0475028e58218c6cf64bd45
SHA512cd3d15761fc9b67f11db17d1386e28dd5377f936613c9a223847981d93717d4dcf389fb06fee2fe41d9135c1c5db7e1ab8209fd7c8352b4ca0ae179f2088ec93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584159.TMP
Filesize48B
MD564fb0153a0d810d5dbaed04b2be51afe
SHA19d6e064b3cb4398712e99392046a4d28dc8e87fb
SHA256fe9cda0359d0af53cbe2e0825239ba5299b40d4a1d9a5f611ba30179b32af1d1
SHA512819760c8e058d5a9920c2a53d5a05d17f1627795cd1715943063aa6a061e13488032d073928bcd63ab39752a9eb5d892e88f958a57054f3a74b26c6cbe54a3c4
-
Filesize
1KB
MD58efeae051e690bd1034a1a2c909a6421
SHA1b1d571f8c3120eec42529f07ad6745ed4b6d1ddf
SHA256c0c9585437670a674fa1b315cdec53e6a113169fa83e1aede100ad2d8092188c
SHA512674a00e84a25400967a46666f183fbeb2a46f3859d14223042f452ee8d26d62206cbb5e76ba48df2387af46ade284f6f272fdb1c297fcde008d65b100e0a8b02
-
Filesize
1KB
MD5811157ea3d9065e67b1d7588ccc7b6e6
SHA15c4d5ef439a641f40981624da710ad0ab3f94761
SHA2564fd9a609ce44de102d2254fbf787e3bd4aedeaf463daab047bb8990a26cb409e
SHA512bc003002da5b88f9161369da61dfb60af1e9fa1bb84bb55c2c5bf5544b3057fb58805cd6ffc35644393b4a018033c7be7272e069e210fb10d425a022373672ad
-
Filesize
1KB
MD58b8549e76cfeec4725797ee7b675ec7d
SHA16164c7e24bed0da1fae4240cfd67baa5a2ce1f9f
SHA2561589889948a986dc681c620293250ce683a92bc3e27a2f54191dff7f1729f665
SHA5128b219f1660ba494d3d0cc6211d0c26af7894a24f683fd06e1001fba43b8cc5224a2bf94ca813aabf7a4da6a70d25a05baed033ad792c5b37d07ea648fa167ee5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD510d1407fb1a5c6676d7c96122fa76779
SHA1ab557180dec4996ca4ab2719c1f8120a18547561
SHA256fb444b77083714ca94f60aa31155e368ffeac3b1cf00d395f1015cbf8c60b7cd
SHA5124105230c8a2a17a3fd18e35ca907a11a13ccc996c09c978adcd7c22daa2aef95390eb272b5d9e97137142d25da3e14b7923b7733391003faa5258bf66d410cf2