Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe
Resource
win7-20240221-en
General
-
Target
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe
-
Size
1.8MB
-
MD5
5c27bd7bc732967d149364ec21e3aa79
-
SHA1
ab53dfe290a930557bbcf6da45edca5ac4f50c0b
-
SHA256
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e
-
SHA512
dfd62f4314b390650e0b018c89a68403ceae77f28d5146f14fcedd4820a82007ed8e638bde60d521ae18d51851635de3a167ee31c77f8d2fd5a559552038154b
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09+OGi9J3YiWdCMJ5QxmjwC/hR:/3d5ZQ1ixJIiW0MbQxA
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exedescription ioc process File opened (read-only) \??\B: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\O: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\T: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\U: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\G: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\H: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\I: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\S: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\W: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\X: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\Z: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\E: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\J: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\L: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\N: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\Q: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\R: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\V: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\Y: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\A: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\K: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\M: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe File opened (read-only) \??\P: e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1528 msedge.exe 1528 msedge.exe 2808 msedge.exe 2808 msedge.exe 1944 identity_helper.exe 1944 identity_helper.exe 1256 msedge.exe 1256 msedge.exe 1256 msedge.exe 1256 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exee319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exedescription pid process Token: SeDebugPrivilege 856 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe Token: SeDebugPrivilege 856 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe Token: SeDebugPrivilege 4472 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe Token: SeDebugPrivilege 4472 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe 2808 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exee319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exemsedge.exedescription pid process target process PID 856 wrote to memory of 4472 856 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe PID 856 wrote to memory of 4472 856 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe PID 856 wrote to memory of 4472 856 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe PID 4472 wrote to memory of 2808 4472 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe msedge.exe PID 4472 wrote to memory of 2808 4472 e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe msedge.exe PID 2808 wrote to memory of 3500 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3500 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 3636 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1528 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1528 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe PID 2808 wrote to memory of 1560 2808 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe"C:\Users\Admin\AppData\Local\Temp\e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe"C:\Users\Admin\AppData\Local\Temp\e319b578931fd58ef20148773fe3bd7ff35cde5e9910e288189159d7f58d293e.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6e2746f8,0x7ffb6e274708,0x7ffb6e2747184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6119132124467047888,10403172843739393613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1268 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bc2edd0741d97ae237e9f00bf3244144
SHA17c1e5d324f5c7137a3c4ec85146659f026c11782
SHA256dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041
SHA51200f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5120a75f233314ba1fe34e9d6c09f30b9
SHA1a9f92f2d3f111eaadd9bcf8fceb3c9553753539c
SHA256e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0
SHA5123c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD544d9081e9315bee650e28a1f50f3b401
SHA1d5116cea4e03bfa2574340eba42b5e87c8bf7849
SHA256223047377af9eb23dbf50640f54cf20f7322fe4d8a449cc16311bc01538684fa
SHA512e2f4005abe749e0275a00c21f217d49c83bf13e78954fcd5c6ecec87a8a80dd8574d74ccc84abe0513a27241496b0ffaacf89c20e1fae3cf31c3d71d8e2baf85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c059c349dea9d9f2ac40fe5b74d6eb4a
SHA1e3c4819b78d955be2756bc02f57eedd6570773f7
SHA25645504c58d7e6c84f2a8793ac9028e91f89979c12a6512e03e6c63fb824d1935a
SHA512c27e96744dc0d6f7877a2b4160af8346302ab02db8e976553e52de9fb48e6574328ce5d9396a224951e5fded14aec03dab4054e3a9e4361f2a6bb38051f22e07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD500acdb00ef5ff096055a49b43b5acd97
SHA1b65eed0da024ef95046fd9d0a477b5a3b3239f3b
SHA256a0751ab209893ae4715debc291b57af16e5422851a9244b975df677d983185f1
SHA5121a4f900dd861bc0c086bd69c1c0fe87266e29815047e152cfda06ad8fd9808ee8af3c849069a544ef0a6a96a447ade5002f23f209ad1746dca3f5834a8c4fc06
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_2808_KKTOICQLYKFSGGWPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/856-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/856-0-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/856-2-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/856-1-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/4472-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4472-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4472-6-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB