Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe
Resource
win7-20240220-en
General
-
Target
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe
-
Size
1.8MB
-
MD5
bcbf6cde461ac107ad366b4aafc162a8
-
SHA1
478fc541027e351de18e2b70f0218e82ce828e98
-
SHA256
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3
-
SHA512
6ab0a6d8c288d30db2aefa593d7e82526a7cde2d54411e2f373d67d1a31e34323ce63ddcd633eae14f32f58afe3c355d90c01d973f45d417c1d70a93b8a0944f
-
SSDEEP
24576:R3vL762VhZBJ905EmMyPnQxhe4627l9BoUj3QC/hR:R3P6UZTHeW
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exedescription ioc process File opened (read-only) \??\O: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\P: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\T: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\X: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\K: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\W: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\Y: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\G: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\E: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\H: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\J: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\N: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\R: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\V: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\A: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\I: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\L: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\M: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\Q: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\S: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\U: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\Z: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe File opened (read-only) \??\B: 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1272 msedge.exe 1272 msedge.exe 2096 msedge.exe 2096 msedge.exe 2372 identity_helper.exe 2372 identity_helper.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exedescription pid process Token: SeDebugPrivilege 116 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe Token: SeDebugPrivilege 116 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe Token: SeDebugPrivilege 3436 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe Token: SeDebugPrivilege 3436 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exemsedge.exedescription pid process target process PID 116 wrote to memory of 3436 116 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe PID 116 wrote to memory of 3436 116 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe PID 116 wrote to memory of 3436 116 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe PID 3436 wrote to memory of 2096 3436 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe msedge.exe PID 3436 wrote to memory of 2096 3436 87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 4192 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1272 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1272 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1068 2096 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd41c846f8,0x7ffd41c84708,0x7ffd41c847184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1364 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2535068521177453007,14660516601290931284,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3824 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\91388bfb-ccdf-484c-bf12-9678d053e519.tmpFilesize
11KB
MD5e31805f22a730fb5917cf4e6c61835cc
SHA12f39d4bb24b84ee6454b6afed1cc9eeb5a92dca7
SHA2560b5f1dbe069f9e2981d799af489ea32a5b14a9ba16a3c0435290a702b5c38e86
SHA5121cebe28d418256834beb820555956fd280ba2f1102e34ef5afc305af3039625ed89cc86a86c9cf818864b4bfe8424df263d8901db5195b0b2c0e297cb046ef09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5766c923bef2a60321ba71a44221e728d
SHA1b965868687139cb9fc9ecb7f227aa57796545e8f
SHA2561bb83f8795237a10f6ad9f6603f78b05cd7cd44e4ec693486f58482db1084cbe
SHA512d92c9bea954ebbd91e6fe80ee5cd1bdd6028c4a5a8cf2b41905ef1591308c0745f0debad2d2cafdce5116de29fdf3842b70745beae4549dce7fae54ac018447c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52bd6f8e93f6a9859439607eccc19ea61
SHA1542d6bf64b17003b82c6f173e5f179e217e5a442
SHA256b37dd2e5d0d2288bd3e2972a5f94ccf290c67d3670be584ff8d1b29e4222d5b7
SHA5123c971a068fa7ee977ee846225296d5573dcfc5572bc6d7a3bc2b3e25fbb32a3f9a49f200b75158a68cb54afca915a1284e41626c3737c21689d084d65b606849
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_2096_ZNXVDEUPXZKYMUXWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/116-0-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/116-2-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/116-1-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/3436-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3436-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3436-6-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB