Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 02:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1169948126703009824/1179101879381266554/spoofer_v1.exe?ex=663cfeb2&is=663bad32&hm=1a05280d3341a6b0df1bd1e06904a99dc77286d205da2ca92c0649f7c7c46369&
Resource
win10v2004-20240426-en
General
-
Target
https://cdn.discordapp.com/attachments/1169948126703009824/1179101879381266554/spoofer_v1.exe?ex=663cfeb2&is=663bad32&hm=1a05280d3341a6b0df1bd1e06904a99dc77286d205da2ca92c0649f7c7c46369&
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoofer_v1.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoofer_v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoofer_v1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate spoofer_v1.exe -
Executes dropped EXE 1 IoCs
pid Process 2452 spoofer_v1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoofer_v1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 46 discord.com 47 discord.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 spoofer_v1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2452 spoofer_v1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{89157316-DF86-4F08-BE81-07EB0AC503AB} msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\SystemCertificates\R spoofer_v1.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\R\Certificates spoofer_v1.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\R\CRLs spoofer_v1.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\R\CTLs spoofer_v1.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 200724.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3616 msedge.exe 3616 msedge.exe 4900 msedge.exe 4900 msedge.exe 436 identity_helper.exe 436 identity_helper.exe 1496 msedge.exe 1496 msedge.exe 5820 msedge.exe 5820 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2452 spoofer_v1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 1064 4900 msedge.exe 83 PID 4900 wrote to memory of 1064 4900 msedge.exe 83 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3056 4900 msedge.exe 84 PID 4900 wrote to memory of 3616 4900 msedge.exe 85 PID 4900 wrote to memory of 3616 4900 msedge.exe 85 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86 PID 4900 wrote to memory of 3672 4900 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1169948126703009824/1179101879381266554/spoofer_v1.exe?ex=663cfeb2&is=663bad32&hm=1a05280d3341a6b0df1bd1e06904a99dc77286d205da2ca92c0649f7c7c46369&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb646f8,0x7ffbdcb64708,0x7ffbdcb647182⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4948 /prefetch:82⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:82⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
-
C:\Users\Admin\Downloads\spoofer_v1.exe"C:\Users\Admin\Downloads\spoofer_v1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/skywalkertools3⤵PID:5244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbdcb646f8,0x7ffbdcb64708,0x7ffbdcb647184⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\spoofer_v1.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵PID:5464
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\spoofer_v1.exe" MD54⤵PID:5480
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:5488
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:5528
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6532 /prefetch:82⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6224 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,345461841761317579,10924406556364403733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5792 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:864
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
840B
MD503730cc6c1d0f3bc7bc87a2603267056
SHA1f1f68c89116cfa0378ca2c1e166f3dd2a37f88f6
SHA256a474be926a76761d02a59987300ccc37b5ac55d5831bc1bcc7a6935832d220b2
SHA51272375cb4eb663aefb3412ff0d6f2c9064bacc04d9dd1c312d6a2d0c8ef804c00f49e23be27d358bcd5de678cae33eb9cfc3e6c3e7c3d9122e14ff31eabcb8ae1
-
Filesize
323B
MD574c9e7193b0cb61e692095d8d9e01ae8
SHA12f60d0b754e400d545d5f3829ae3b0a0b990d821
SHA256b51c6699b167d0179b11f965336dd9133829945e8992fb391043536d336d9baf
SHA512e3abb8a66b88de18aa084934f2d481d7f10060d35b0426a12b7dc1e7a3a8199261be181e889a4054c5d108884a16eb304a7e1b575de21820bd97acb48c13d747
-
Filesize
5KB
MD5b994b644621f9aee5ee23106bb6b6a7c
SHA12eb8714636def4af33d9a69b5bed7be93cc3dac9
SHA2564fc3bd171159a693c1a30c885f88bd92e0914695aaf4527b57a65baaeae26d82
SHA512d54eca9db6494b9a59a19682d82f22350c8d560829d721bca4817d7b5548e8c09c84aa2fd007b6f6fdde928ba804295b49b798e365744f0ea7dc90f40bafaa6f
-
Filesize
6KB
MD57a5ee6d96298cfcf10e47ad960db487b
SHA1d7801943b2396ba1c44fed632300596d20d895bf
SHA2568e3762124ff7b98463fb6f5a34193b4270cc99f9b1e0dc4937d1279d21a37587
SHA51294870c0def305120f6ddf5df8ee4e945faee9677148620374e264fd13075e507c9240b81008bd386ed30c2513247891a57c12520b039f86ea811440b1eb83fda
-
Filesize
6KB
MD5fc424d651b0561a034c1b35df5ac0a69
SHA14f4c4e8cb4a3433b28ef28e4f974023e0c49b7db
SHA256883b031dc1e3e52c046af0f84abe06228e4dadf340abf4d18924cfbd728104c4
SHA512b167be7f5aaaf547d6e11099e0bb98466695d3183dbeef0623edfa723e125beb761ea677ee4b4928eedc7123f441fc691d4fc3b87a529f374c3430aada06be57
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5f6a31e78ab15a903f51e8a002652d872
SHA1f922c5919252d85f0daa472a01951f27b5ca5394
SHA256fd22fb2028a87ec46027dbc949e599640f51126c4e88de726ff6058bbb354dba
SHA5122084a93c5e41270af1cf59044ba5c07b698aa2a746df38d6aa064a3b37d451d18f77dc300ce3989a6fb177b63a3dd6bcf76997de9d67d23d7f812a2e716cbf9f
-
Filesize
5.0MB
MD5ad19ff51c028f187d2c25b3cf056344c
SHA1e70e4a06a9bde76a18bca1e19c9226879411a1ff
SHA2565794cec133f9c2c111f97504ee26c268985fbfaa3eac2ba81dc129caebd3e14a
SHA512579f4fbccb5c0097e1e2f279178e4a174d54a852952b9970f0c1bff34e1a3f71988b7e719241342cd09424b822b60c3708e97a9a72155ee95badae025e1c5c02