Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 16:49
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
NAME.exeNAME.exeNAME.exeNAME.exeNAME.exepid process 5660 NAME.exe 5992 NAME.exe 6048 NAME.exe 5684 NAME.exe 4852 NAME.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NAME.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Host = "C:\\Program Files (x86)\\DOS Host\\doshost.exe" NAME.exe -
Processes:
NAME.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NAME.exe -
Drops file in Program Files directory 3 IoCs
Processes:
NAME.exedescription ioc process File created C:\Program Files (x86)\DOS Host\doshost.exe NAME.exe File opened for modification C:\Program Files (x86)\DOS Host\doshost.exe NAME.exe File created C:\Program Files (x86)\DOS Host\doshost.exe\:SmartScreen:$DATA NAME.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exeNAME.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 838940.crdownload:SmartScreen msedge.exe File created C:\Program Files (x86)\DOS Host\doshost.exe\:SmartScreen:$DATA NAME.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeNAME.exemsedge.exepid process 2724 msedge.exe 2724 msedge.exe 1684 msedge.exe 1684 msedge.exe 2352 identity_helper.exe 2352 identity_helper.exe 5560 msedge.exe 5560 msedge.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5352 msedge.exe 5352 msedge.exe 5352 msedge.exe 5352 msedge.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe 5660 NAME.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NAME.exepid process 5660 NAME.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NAME.exedescription pid process Token: SeDebugPrivilege 5660 NAME.exe Token: SeDebugPrivilege 5660 NAME.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exepid process 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe 1684 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2932 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1684 wrote to memory of 4468 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 4468 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 1188 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 2724 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 2724 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe PID 1684 wrote to memory of 3084 1684 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/iZ9arn1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaa6046f8,0x7ffbaa604708,0x7ffbaa6047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\NAME.exe"C:\Users\Admin\Downloads\NAME.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,17288726879728463601,15783673456901342279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5776 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NAME.exe"C:\Users\Admin\Downloads\NAME.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NAME.exe"C:\Users\Admin\Downloads\NAME.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NAME.exe"C:\Users\Admin\Downloads\NAME.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NAME.exe"C:\Users\Admin\Downloads\NAME.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38df055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NAME.exe.logFilesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD56741deffacb21623191d360f5b7195c0
SHA1e6bd95448ec782aeb31c8f7c944a130cd4ed450e
SHA2566cb9f165fb18a5d7aec7300bc41998dc272eb7d547ed80e1eeee3b10d0ae9753
SHA51280ae49a8679d639bad2eff25e0dfe2d20aa9d4be39014a8cccd61609224a7db223ac1ed3cbfc69e72832d8665f9ac59e269a66e563a06e105c81260ccaeca3a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57a4105801afc16f9d24ccd68f748ef80
SHA1f1740495cec5ff09e3b1b73d407382843f0ddc4e
SHA2561a6e2608b868f0c5f9d9bbd14328f0c9d6c3594aab4ec6e6a51a498df03c7f23
SHA51213535490fce9299cffedb8a1d0ef5a72252790a0101e786571fad5112e48892f5967b4cc78ecfb73f509c5e6a2f06f55f3953ad6a90f12ef67bb081c78b12ef7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5185bf0b43559cd688ac99e820c3487a6
SHA1727608c8063498e703d6bc5c00edf8f7e3970a78
SHA2565cc27768e24679bc0d216094bdb7febb289f93bdc53aff3033d20f0d24c1e8c5
SHA512d4927ceae551fd7376b5b17463846a359d6185e97ece817ad0a04209092f4500502b52fbe2491860ddd8a188210db2e5735e6ad1513cd162cf790b32aac8b830
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a8a066912f385f2fe531d1e3086e44bf
SHA17bccb90565c21d5f7efa92e3268c6e80340d8cad
SHA256b862efd84484f4e53c5e17b225f347169a6963035481b89867943ab877d557ca
SHA512ed6d242088f9580fbf51c2f0aa14bc8db1ab0b0528ab2927c1981c648a49b18b0cb3bb4551f2427b917798eeaca5dd16d28606171fc8a4516315bdc9790d5bbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD571af77e84afba8bafc182f59d03246c9
SHA19857a1acd2e251074b963544a82490f8185092c3
SHA2564cafac38d67ec36e2696bd98beb40695c3755be18463207b806bf81ee4280537
SHA512033726705ca7fc463ca5466db3d7604d6919e5c12940cc8d8f635976d9fc086228d19cf46b87b8fe295b81241ef3c61cb15af1da9cf74a97034f5082bacfe7f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51404ae61a135a5e986562b47e523cf27
SHA1780d5a8bdc278e8f91eded33d8c28ae417eaeb6d
SHA256dc689de878fe81b6455210646767f7eab57c302822c9c8155d8d5c9cd496b0de
SHA512e101866aaf1371c3f4b4edb5141d7dff9171024fadebd8b325f037750065a541512b2fe57af370bccec87e4b563be68349693e31902e327611d0635c7120b879
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a06740989c139cd0fd9bef5d6a5b1810
SHA19e9f2cfa3f3f54ea64292b8e5ab696efd8a70b82
SHA256b082742f91b0828288f1c62755154ee2c67e4409a3df475b77f88ceb7fd7c5eb
SHA5126737112316a8397c72abba02c0e1444494787f8017126e5bb948702690ff56f461949b91ad12a50165953fa3b1297eb4e7569721d3cb772202f8f713a279e04e
-
C:\Users\Admin\Downloads\Unconfirmed 838940.crdownloadFilesize
202KB
MD5eed85e92266793c87a6f65748055a650
SHA13aefd591917e1d3d62194d376547704f9e342d11
SHA2561d42bea84a39ae9d447cf9a1d5bf60b040d008f13fc0d3b52fa275e59e14cc36
SHA512ffe54c15e5f7a26f70bbf042f6fae3c6fd731d5799f09dfb4f4c7fc118f428cc971f558e49724c92575968f1b7c945971fb476f4ca722a03b1414e6566624a02
-
\??\pipe\LOCAL\crashpad_1684_JSOBUFLRKXSPZKXCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e