Analysis
-
max time kernel
35s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 07:51
Static task
static1
General
-
Target
Saturn Free Temp.exe
-
Size
4.2MB
-
MD5
e6350586d1f6aacf8343125b758dfb1f
-
SHA1
5351a0c697e7c158d62f5e58484ba46787c952a8
-
SHA256
c38b3feb6e14a703ad96fdd30f43bb33fe96175be99b6e6caa39c585b5ad18fd
-
SHA512
93406b4356389d32862e2f01276e3da8ad3c398e5699f8716e222565bfce48298d3a0b0ded424cacd38d36d2f056108decb0ebf313e44a2c2dd470ac0fc11cb7
-
SSDEEP
98304:l7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6K0:U+y4ihkl/Wo/afHP
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
clean.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ clean.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4508 netsh.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
clean.exedescription ioc process Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00660048005300200020002d002000330000000000 clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion clean.exe -
Executes dropped EXE 1 IoCs
Processes:
clean.exepid process 640 clean.exe -
Processes:
resource yara_rule C:\Windows\System32\clean.exe themida behavioral1/memory/640-4-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida behavioral1/memory/640-5-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida behavioral1/memory/640-7-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida behavioral1/memory/640-6-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida behavioral1/memory/640-8-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida behavioral1/memory/640-128-0x00007FF684F50000-0x00007FF6858F2000-memory.dmp themida -
Processes:
clean.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA clean.exe -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
clean.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer clean.exe -
Drops file in System32 directory 1 IoCs
Processes:
Saturn Free Temp.exedescription ioc process File created C:\Windows\System32\clean.exe Saturn Free Temp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
clean.exepid process 640 clean.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 21 IoCs
Processes:
clean.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU clean.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "a5d953bf-805e783e-8" clean.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5d940a9b-33df83e4-a" clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily clean.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral clean.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral clean.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion clean.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion clean.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exepid process 3484 ipconfig.exe 4820 ipconfig.exe 4436 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1552 taskkill.exe 3172 taskkill.exe 4744 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
clean.exemsedge.exemsedge.exepid process 640 clean.exe 640 clean.exe 4896 msedge.exe 4896 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3084 WMIC.exe Token: SeSecurityPrivilege 3084 WMIC.exe Token: SeTakeOwnershipPrivilege 3084 WMIC.exe Token: SeLoadDriverPrivilege 3084 WMIC.exe Token: SeSystemProfilePrivilege 3084 WMIC.exe Token: SeSystemtimePrivilege 3084 WMIC.exe Token: SeProfSingleProcessPrivilege 3084 WMIC.exe Token: SeIncBasePriorityPrivilege 3084 WMIC.exe Token: SeCreatePagefilePrivilege 3084 WMIC.exe Token: SeBackupPrivilege 3084 WMIC.exe Token: SeRestorePrivilege 3084 WMIC.exe Token: SeShutdownPrivilege 3084 WMIC.exe Token: SeDebugPrivilege 3084 WMIC.exe Token: SeSystemEnvironmentPrivilege 3084 WMIC.exe Token: SeRemoteShutdownPrivilege 3084 WMIC.exe Token: SeUndockPrivilege 3084 WMIC.exe Token: SeManageVolumePrivilege 3084 WMIC.exe Token: 33 3084 WMIC.exe Token: 34 3084 WMIC.exe Token: 35 3084 WMIC.exe Token: 36 3084 WMIC.exe Token: SeIncreaseQuotaPrivilege 3084 WMIC.exe Token: SeSecurityPrivilege 3084 WMIC.exe Token: SeTakeOwnershipPrivilege 3084 WMIC.exe Token: SeLoadDriverPrivilege 3084 WMIC.exe Token: SeSystemProfilePrivilege 3084 WMIC.exe Token: SeSystemtimePrivilege 3084 WMIC.exe Token: SeProfSingleProcessPrivilege 3084 WMIC.exe Token: SeIncBasePriorityPrivilege 3084 WMIC.exe Token: SeCreatePagefilePrivilege 3084 WMIC.exe Token: SeBackupPrivilege 3084 WMIC.exe Token: SeRestorePrivilege 3084 WMIC.exe Token: SeShutdownPrivilege 3084 WMIC.exe Token: SeDebugPrivilege 3084 WMIC.exe Token: SeSystemEnvironmentPrivilege 3084 WMIC.exe Token: SeRemoteShutdownPrivilege 3084 WMIC.exe Token: SeUndockPrivilege 3084 WMIC.exe Token: SeManageVolumePrivilege 3084 WMIC.exe Token: 33 3084 WMIC.exe Token: 34 3084 WMIC.exe Token: 35 3084 WMIC.exe Token: 36 3084 WMIC.exe Token: SeIncreaseQuotaPrivilege 4908 WMIC.exe Token: SeSecurityPrivilege 4908 WMIC.exe Token: SeTakeOwnershipPrivilege 4908 WMIC.exe Token: SeLoadDriverPrivilege 4908 WMIC.exe Token: SeSystemProfilePrivilege 4908 WMIC.exe Token: SeSystemtimePrivilege 4908 WMIC.exe Token: SeProfSingleProcessPrivilege 4908 WMIC.exe Token: SeIncBasePriorityPrivilege 4908 WMIC.exe Token: SeCreatePagefilePrivilege 4908 WMIC.exe Token: SeBackupPrivilege 4908 WMIC.exe Token: SeRestorePrivilege 4908 WMIC.exe Token: SeShutdownPrivilege 4908 WMIC.exe Token: SeDebugPrivilege 4908 WMIC.exe Token: SeSystemEnvironmentPrivilege 4908 WMIC.exe Token: SeRemoteShutdownPrivilege 4908 WMIC.exe Token: SeUndockPrivilege 4908 WMIC.exe Token: SeManageVolumePrivilege 4908 WMIC.exe Token: 33 4908 WMIC.exe Token: 34 4908 WMIC.exe Token: 35 4908 WMIC.exe Token: 36 4908 WMIC.exe Token: SeIncreaseQuotaPrivilege 4908 WMIC.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Saturn Free Temp.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execlean.execmd.execmd.execmd.exedescription pid process target process PID 2592 wrote to memory of 2956 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 2956 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 228 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 228 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4120 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4120 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4884 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4884 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4516 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4516 2592 Saturn Free Temp.exe cmd.exe PID 4516 wrote to memory of 3084 4516 cmd.exe WMIC.exe PID 4516 wrote to memory of 3084 4516 cmd.exe WMIC.exe PID 2592 wrote to memory of 312 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 312 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 2896 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 2896 2592 Saturn Free Temp.exe cmd.exe PID 2896 wrote to memory of 4908 2896 cmd.exe WMIC.exe PID 2896 wrote to memory of 4908 2896 cmd.exe WMIC.exe PID 2592 wrote to memory of 3104 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 3104 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 3024 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 3024 2592 Saturn Free Temp.exe cmd.exe PID 3024 wrote to memory of 2024 3024 cmd.exe WMIC.exe PID 3024 wrote to memory of 2024 3024 cmd.exe WMIC.exe PID 2592 wrote to memory of 4688 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4688 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4088 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4088 2592 Saturn Free Temp.exe cmd.exe PID 4088 wrote to memory of 1792 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1792 4088 cmd.exe WMIC.exe PID 2592 wrote to memory of 1556 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1556 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4916 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4916 2592 Saturn Free Temp.exe cmd.exe PID 4916 wrote to memory of 5072 4916 cmd.exe WMIC.exe PID 4916 wrote to memory of 5072 4916 cmd.exe WMIC.exe PID 2592 wrote to memory of 532 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 532 2592 Saturn Free Temp.exe cmd.exe PID 532 wrote to memory of 1988 532 cmd.exe getmac.exe PID 532 wrote to memory of 1988 532 cmd.exe getmac.exe PID 2592 wrote to memory of 1560 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1560 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1300 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1300 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1416 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 1416 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4504 2592 Saturn Free Temp.exe cmd.exe PID 2592 wrote to memory of 4504 2592 Saturn Free Temp.exe cmd.exe PID 4504 wrote to memory of 640 4504 cmd.exe clean.exe PID 4504 wrote to memory of 640 4504 cmd.exe clean.exe PID 640 wrote to memory of 1264 640 clean.exe cmd.exe PID 640 wrote to memory of 1264 640 clean.exe cmd.exe PID 1264 wrote to memory of 4744 1264 cmd.exe taskkill.exe PID 1264 wrote to memory of 4744 1264 cmd.exe taskkill.exe PID 640 wrote to memory of 4004 640 clean.exe cmd.exe PID 640 wrote to memory of 4004 640 clean.exe cmd.exe PID 4004 wrote to memory of 1552 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 1552 4004 cmd.exe taskkill.exe PID 640 wrote to memory of 4480 640 clean.exe cmd.exe PID 640 wrote to memory of 4480 640 clean.exe cmd.exe PID 4480 wrote to memory of 3172 4480 cmd.exe taskkill.exe PID 4480 wrote to memory of 3172 4480 cmd.exe taskkill.exe PID 640 wrote to memory of 1676 640 clean.exe cmd.exe PID 640 wrote to memory of 1676 640 clean.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Saturn Free Temp.exe"C:\Users\Admin\AppData\Local\Temp\Saturn Free Temp.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ECHO CPU2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get serialnumber2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ECHO BIOS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ECHO Motherboard2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ECHO smBIOS UUID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c getmac2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\getmac.exegetmac3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Going back to dashboard in 8 seconds...2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\clean.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\clean.exeC:\Windows\System32\clean.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa01046f8,0x7fffa0104708,0x7fffa01047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8374938935991756960,16915892163217700415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:16⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH WINSOCK RESET5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH INT IP RESET5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&14⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall reset5⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&14⤵
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&14⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&14⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&14⤵
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS5⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&14⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&14⤵
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&14⤵
-
C:\Windows\system32\ARP.EXEarp -a5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&14⤵
-
C:\Windows\system32\ARP.EXEarp -d5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&14⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE5⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD558eab95a1f13da44674f5f7cdfcd583d
SHA1daa384b5bc1cad12b2d6a3d95be2156d8528c86f
SHA256598061776a68240029aaf9807ba6697b4e5aaa0409b53c26d6f05a4239325d7d
SHA5121804674c802c2e9db8d8d6f48924a5dffab923daf7fb9bf08e3e5d5f8a93c9eeeb331a85516ee2fb4794e212537cf01d96a05d5fb05009937d139e4c10b9d98b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
553B
MD59f7f5c4584c56f12f4fea18d066a543f
SHA16f2130340c296f93aff5c1b06871dacc5d9f872e
SHA2564100b61ff5414201486000562801e4669c196cac2af18a211d1e525bc2b0e483
SHA5127b066392ba29f044202a151dccaa52c24188ab90c123db0ec8cb32ed1e35366690f9d99a86828e5ad77cec208f541bfd1608e834ce44e2f48f0793842e6de4a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d36bbe192737ff85cca73f35a62014fb
SHA15fff8630be8ed3839c36aaaebeff3daf931095db
SHA256fa46f6359bee199818da197f256c2371ddd6ac508c45e7f67a4eaa0d6fb0d950
SHA512c6976f98a463019518a1e7fc797e13c8dc9541d42c25f2c966843bcaacef778e418f2558a0c4b14d784db2695e9500a1e577612f58bbd78fb13353cd81d52726
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD539a87a323fbf738b079b618292f94998
SHA16b2283aa5c6becd70a794cecf1abe4406fd1a832
SHA2568a382ac0405281e6cf879602470551c08347ca1fa4895068ca7f30e951348c79
SHA5122eacc115d9444be9dce90b91dc79a94d3023550c3390ce9f3abd7c387eff29f114c74d4186024860c1eaf845a1b968e8b35c7fb2e173c2ffb3fae7348ebb77bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ac31bd389f633de65ebf4b71d92d00d6
SHA1acf7cfd681828730344b7ebe286ae371139923db
SHA256e477a29985bcff196c4831c2d2ecad79d068c5fa46963f7011b3b30993816fdc
SHA5124b1694c10934c8aa3d6b0c8b08376e42a78ffe521496ff956226f87527523ed2b090a48b2ecd5980efb7fa4b7e6b4dd4ddb827cef07db34c9e9e3e13a1d9bdea
-
C:\Windows\System32\clean.exeFilesize
3.6MB
MD5f96eb2236970fb3ea97101b923af4228
SHA1e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA25646fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA5122fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
-
\??\pipe\LOCAL\crashpad_3608_WJQDSRQDKOVNQFNDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/640-8-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB
-
memory/640-6-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB
-
memory/640-7-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB
-
memory/640-5-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB
-
memory/640-4-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB
-
memory/640-128-0x00007FF684F50000-0x00007FF6858F2000-memory.dmpFilesize
9.6MB