Resubmissions
27-04-2024 21:19
240427-z6levsgg38 627-04-2024 21:13
240427-z2twfagh7x 627-04-2024 21:09
240427-zzwl9age73 10Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 21:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 28 camo.githubusercontent.com 33 camo.githubusercontent.com 61 raw.githubusercontent.com 62 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
description ioc process File opened for modification \??\PhysicalDrive0 [email protected] -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exe[email protected][email protected][email protected][email protected][email protected] -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskmgr.exe[email protected]description pid process Token: SeDebugPrivilege 5348 taskmgr.exe Token: SeSystemProfilePrivilege 5348 taskmgr.exe Token: SeCreateGlobalPrivilege 5348 taskmgr.exe Token: SeShutdownPrivilege 6004 [email protected] -
Suspicious use of FindShellTrayWindow 60 IoCs
Processes:
msedge.exetaskmgr.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exetaskmgr.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe 5348 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 528 wrote to memory of 3748 528 msedge.exe msedge.exe PID 528 wrote to memory of 3748 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 1480 528 msedge.exe msedge.exe PID 528 wrote to memory of 5048 528 msedge.exe msedge.exe PID 528 wrote to memory of 5048 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe PID 528 wrote to memory of 2280 528 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc502e46f8,0x7ffc502e4708,0x7ffc502e47182⤵PID:3748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵PID:2280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:1268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:4656
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:1524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:12⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:82⤵PID:3348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16396596155933457586,12485570788744652479,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:22⤵PID:5148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4452
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6004 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:6100 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:4672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9b3e7659h52adh41a1hbd7eh9b7304a689d31⤵PID:3340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc502e46f8,0x7ffc502e4708,0x7ffc502e47182⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5787191060879832072,5640390814589865421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:5288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5787191060879832072,5640390814589865421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵PID:5300
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD518f444650f38d161129e028f589054be
SHA158ee4e01f0657056b24f5a31e30c1e222d35645a
SHA256ab570077b0bd0bcb9b88ee937b26a40403a31b1b597c4da167d81b19f9fac360
SHA512c30f218b65dc0316bff6de1dcbd889c67a45055db2d63d5155bd736709d906076a0a48b61a5afce96765a97058513c90bc27fa3322664032d5215df0a8d0a160
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5c4243c38ef7a98e34ee63dbfba778873
SHA1eaeee63612b9a88b8765b58790e3001a8007e727
SHA256633b77fff53634fc7a908f118b846d905a393041d0dbeaff1b3b6c50aece5b06
SHA51265495c11f50dc124f2743a6c2b84ad3406742feeda6d33719ac4d017a431defa45eacc2e6011d5d26d180e79212ce1949ee53044410945324c8bca22dd42261d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
663B
MD5d46088de8a6b5368ca63e1a4555793ba
SHA1990285e8845aadec0688c914a37756dff228931f
SHA256dd3a56157be0aee2fcc7000f7a862fd808faad65a9e3af4958a5afc70b40529d
SHA5124725aad943e5503cbb1752b0c983ddd864abdb3cfe686c0ea8ba1f4cefcf8e7158036c20ad660f9c50dbf53b1f6482bfddacfa47f9c8b5c456cc0fe8468f71bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54d7f9480c092711e791a8f8638206a5a
SHA105a7e3c5228674c41820171e5dbadff039bf247a
SHA256ef4481c662821ce7076f16eb0414301b3de2034fe949c982cba1e6e4a1307f6d
SHA5126610611e70e94ba9a5c1597777ada74df9e60f9356b9f827f1bf8cc6293f847a9d8973b4cf295999f7300f8ad94bc4deebb9a9b430f3c07f34626dbb18a073b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e624833ab3597d5fb6f03de25cf1bb9b
SHA10c9cac0d5794d72e86570051a17c7af5ca88d784
SHA2560b611f2142f2da46efa9625a06a0c980903c964686f2e2f54256c2a9891c1a81
SHA51250c040cb08c17573af85d02896209eba745fb3ad65f4dda8d293e1f5c08bbe207a1597e8f5abe05de820b3a0f5cd20380c47e0dd398005e5a2a10357af9ab5df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD557a1caad96a1a6d083e2a035ec18b85c
SHA12c90e6f3c0ccb15e0a46c351692bbe75593e18ca
SHA2566273179701d5761202c28ce785fd6af18f53142ebd2fad6654cade2ca3fa6130
SHA512f05c5c59142f5a6a0bba5b4d6b72df458ce99d7ac5cfb25b5bb0eb70fe4a7236babefef2e1c6421ff523b83d340964bc0c8250c7c58e6699fa72792299ffdfd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56815fd58be580fc28af142d7d3ae0d68
SHA1ec080d932c50481abadaa74d987ca64b1ad23922
SHA2569d8d6b09b91d79d1726fe2d7bdb39e011f2fe9a2ef2f5d8f5ac15ad0a6e20516
SHA512cfc9b0c4c976d18d5c545d49913bceb5f7d1421281fae554263b66703cf83a0941c9ceaf33799b9d380667438a77f3e9dd3958857d1e3c6822d7d47800322b6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f6279bee55bbeeb55c7cf661c6392541
SHA101a5d78cd4c4b017e44f2cf6675c20cbc07e104f
SHA2562c6e1f52a145299c85392e0a03135839ae994d93c2f77452b2aa59d2f0bc0ee7
SHA512337932d0016b85830c8929a22e401d4161cdba8d8c905731a2521e95d95faa9485f652f64551db356e90f228c51991b63c2aae00d897949a0385ebad7beaf199
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53368804eb79dc76ae7094a39beaa01f2
SHA1b0420c18a9ade6b75f0127d9a0c672c12d9ea44d
SHA2564466a6497b6206db2b13fe1703515b269de447d1859e5bf6c0a0824fa5956f2b
SHA512f82748b755fb67bcf5e7be59e3ab00b8e014d23fb04a44a02da8119bbc7a17481000fcb20edfec8e059510dcc521d7f28e904193f64d8c660e58243619177911
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578cde.TMPFilesize
1KB
MD54adceae7ae575b6fbc54bd38ef4d7e5d
SHA13e8f0fc53cded799ab36dea85c36cc9dede71101
SHA2567b8f51d0ee8f83dad642397849ee5b09eb745ea04331639037455ce4ec29d728
SHA5123c203949cd5d1202db655e9134bed05e4b30b42578038e88d969a7c39da8c4a103cabe4e3d1561bd1e416a0935d78e5a9580c9c4020f38e38fdf29608ed86bcf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d90dc105a197ddc5bd03c6fd79fc447f
SHA181639fd56e750ae9bad2afbcfbbab4e92befc59e
SHA25641e4b5b78bb295f2cd412aaa8d798b46b3d26c315902ae0be7cecb96a7fce1ee
SHA51251e626358102426300b3e9b7e8c73baeaab3b8a2d63b3da836688fc066c01e3045e2b195e67854cc27ea3998add9ea7f7d411e3abb9435c86802e470fe923c5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f49beb07c3e248fb6dac189e0e80913b
SHA1f9a187a355420e2b7c80821faf291184af514805
SHA2563fd3374d086b943389228861b7317ea7f43c5ec33c6c369aa32cadd8dcf5e7e6
SHA512a95a4fb23525c8a328babf54b09f58e4aaf0771725aa27c28cb847311699d025054e69f863e2526bb34c94b7d4680b5001d8fbdf04119e997ab8e96b8fe56ecf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a2a132addf5fd0f2a8197845b43177e6
SHA1b36ee7586c5dfb2057240986f522b77a8c9d8834
SHA2562e549fc5f384d13cf4c4993335c5fcb0bd7826e9beacc38a461c34593d204921
SHA51283d14afc6f0aca1a8cb86b48ae4d7566175d476186953791fbd97ce7ae9fa832368d723299d3468c8b0435995a56e6bc3dff70ac0333c0a444a0f9103d3f3ab0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f1f1efa864cc28d7f0419df504237641
SHA15dd0895cf609996c9c6cf5f862312f6d507f533a
SHA2564bcf68fe3645fb3fee41137ee7556b7ce458670414a86802c2ffde05c0527453
SHA51272a2a5609d4fcaafabc3de6222dadb0aeb65c3fac97bae4a8c64213321e9c05ccb98e1b51dd932ede50e1bcb587fdd70e2f319d7aa4138ba3c17c5e8803ea277
-
C:\Users\Admin\Downloads\MEMZ.zipFilesize
8KB
MD569977a5d1c648976d47b69ea3aa8fcaa
SHA14630cc15000c0d3149350b9ecda6cfc8f402938a
SHA25661ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc
SHA512ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\LOCAL\crashpad_528_TWWWHKQVLKEXCIWZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5348-365-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-358-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-359-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-357-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-369-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-368-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-367-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-366-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-363-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB
-
memory/5348-364-0x000001DE7C590000-0x000001DE7C591000-memory.dmpFilesize
4KB