Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe
Resource
win7-20240215-en
General
-
Target
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe
-
Size
2.6MB
-
MD5
391074686ae2b33b85792431c7c6d694
-
SHA1
129c0c32284c26cace8890a251fb8aa68740f5a1
-
SHA256
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0
-
SHA512
5bfb33e7ad0af3631f81533a187a7180995e2772c34134a34dbd65d46fef8e00335f9186188d514c8858ca83c3eeb058ec2aba7a42292aa518591781354d5176
-
SSDEEP
24576:9A8vyrepIND/0bfSPdaYsi5YYR+h+8fEvdDrGnrdEROGHOhXBo7FC/hRJHOh:9A81IJPLmEvdDqnroHO9HO
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exedescription ioc process File opened (read-only) \??\K: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\A: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\H: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\J: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\R: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\T: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\U: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\Y: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\I: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\M: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\P: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\O: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\Q: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\S: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\W: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\X: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\E: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\G: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\N: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\Z: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\B: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\L: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe File opened (read-only) \??\V: 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2964 msedge.exe 2964 msedge.exe 2832 msedge.exe 2832 msedge.exe 3428 identity_helper.exe 3428 identity_helper.exe 3924 msedge.exe 3924 msedge.exe 3924 msedge.exe 3924 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exedescription pid process Token: SeDebugPrivilege 3972 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe Token: SeDebugPrivilege 3972 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe Token: SeDebugPrivilege 2932 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe Token: SeDebugPrivilege 2932 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exemsedge.exedescription pid process target process PID 3972 wrote to memory of 2932 3972 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe PID 3972 wrote to memory of 2932 3972 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe PID 3972 wrote to memory of 2932 3972 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe PID 2932 wrote to memory of 2832 2932 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe msedge.exe PID 2932 wrote to memory of 2832 2932 17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe msedge.exe PID 2832 wrote to memory of 3672 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3672 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 3692 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 2964 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 2964 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe PID 2832 wrote to memory of 4716 2832 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe"C:\Users\Admin\AppData\Local\Temp\17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe"C:\Users\Admin\AppData\Local\Temp\17d8875f4c84a0abbaa72097ee460a777beda20a8b27b924fd42d6e2d2e6ddd0.exe" Master2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fff260e46f8,0x7fff260e4708,0x7fff260e47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15725783265619261062,1892017531880437083,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3928 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\974b5b1e-6997-4e5a-b079-7b24b26fbc47.tmpFilesize
8KB
MD5677bc84d7ba147823c480611059e895e
SHA187f948a6070472f953f005293d787fc37d034063
SHA2569e4d71fc6bbe8cdd5df2bc647c5c35ad741ddbec4ed67ccc951a1db4615aadc3
SHA51274d6a87f26b292fc2994000afcdc274d21e9f2d694291ab027322a06b0c7000ac4a6063dfc84e2fd48eb5e03530d60cebbb9bda9aead9f14c13ccaba87ed5d3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5850f27f857369bf7fe83c613d2ec35cb
SHA17677a061c6fd2a030b44841bfb32da0abc1dbefb
SHA256a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a
SHA5127b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD562c02dda2bf22d702a9b3a1c547c5f6a
SHA18f42966df96bd2e8c1f6b31b37c9a19beb6394d6
SHA256cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b
SHA512a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58a3c3d3bdeb628bee0800668f30e12ba
SHA1267899d0b90c5d7d0519e6efdaf8dabbfc8ccfc9
SHA256569585b4884fa66fe1fd8331ba77364b6b55fc9c2a78b77f7a3c3250c5b524cf
SHA512fc6a5ff744e824c47c2a5e5ad7a8a1809be623a51aca6963c1d7a0402ce982cb93f518687780f7718cae89c8b0195ac27744af4335d0eca0429d02947c4e6124
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58c6b627028ac7a50aed61f28c5e84141
SHA1590cde1a183f1447b153c46673b8fa20de606488
SHA2561d169cad5016ca23481f31fd380f9d8183f060dfb9cea2d8353aa6be70065801
SHA512f060286330e26aad52a4f2bc3ca6cd0501a42363ab445b50f6c4c02919d7b63d448eb0d8a65164085a480763bfc51bc25833ac749e4a92a4cc11c1e6bd73f317
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
\??\pipe\LOCAL\crashpad_2832_PKNYXZKWIHJXZSLZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2932-6-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/2932-9-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/2932-5-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/2932-2-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/3972-1-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/3972-0-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB