Overview
overview
6Static
static
3CapCut_726...er.exe
windows7-x64
6CapCut_726...er.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ed.dll
windows7-x64
1$PLUGINSDI...ed.dll
windows10-2004-x64
1$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:57
Static task
static1
Behavioral task
behavioral1
Sample
CapCut_7267140873131950085_installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CapCut_7267140873131950085_installer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/deviceregister_shared.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/deviceregister_shared.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/downloader_nsis_plugin.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/downloader_nsis_plugin.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/shell_downloader.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/shell_downloader.dll
Resource
win10v2004-20240508-en
General
-
Target
$PLUGINSDIR/downloader_nsis_plugin.dll
-
Size
1.2MB
-
MD5
f181413906a465fd0dd68cc4a3d98803
-
SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b
-
SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda
-
SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25
-
SSDEEP
24576:UtF94NRXKCK8gEM4Vn8rHmAumkpF6sBE:Ut/uXTianGmAumkpFe
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1516 3968 WerFault.exe rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 872 msedge.exe 872 msedge.exe 4632 msedge.exe 4632 msedge.exe 968 identity_helper.exe 968 identity_helper.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe 1480 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exemsedge.exedescription pid process target process PID 4436 wrote to memory of 3968 4436 rundll32.exe rundll32.exe PID 4436 wrote to memory of 3968 4436 rundll32.exe rundll32.exe PID 4436 wrote to memory of 3968 4436 rundll32.exe rundll32.exe PID 4632 wrote to memory of 1744 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1744 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 4812 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 872 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 872 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe PID 4632 wrote to memory of 1032 4632 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 8923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3968 -ip 39681⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5b9046f8,0x7ffd5b904708,0x7ffd5b9047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,647710824281444289,16254204944730344120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
67KB
MD5d2d55f8057f8b03c94a81f3839b348b9
SHA137c399584539734ff679e3c66309498c8b2dd4d9
SHA2566e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA5127bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
39KB
MD5395699fc7fc3283d3bade75dbffa446e
SHA1c9474c5a587fbd3a25c0992f1dfe7946e3b7abba
SHA256a184c8951b524d5a22d7bca69a0d775523e8c095d158f80ac4415d87d17acd1c
SHA51270749ca5fc0cc5b9b85d13ecde89ffffbc1af7b36a650be842ff303b0ed0ef49e8d9f3edb91324d42462446b882b2558abff235f42e300226e491432196ba8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.2MB
MD5153d9573f0f824b040ac13793d95e406
SHA1f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8
SHA256c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016
SHA5125e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD527595c68308c9514badf85de6164263a
SHA1d9919eeb3f62989432bba6b8a18478c15b444ee5
SHA256b6a91e2336ff1b6141b76a110531edd0d2402cba04da645b7ac611ce92d61ecc
SHA5129d8d4d20b8d49f90d64442180a9198fd22c7ede7d044f4e322e9eba39978d52fe2655620f3a91c6c7672c296da97ca67b5870766d3a3d0a9b043675e714f6805
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5b76eb60d80528e4c2e5f9607d33bb6e4
SHA1910aa6f4f8b513153a2b7f331af5ba2ebe7c9705
SHA25602d2192be651ead5800e2e02e0b51cf6467147206fea1f5368a2b7ca4a858909
SHA512bf8ac3282568be08ff5f9ccadace0ef7cb10b88f6d7f1e7822b13264abf47dd8a6ed52e4f5fb6bcd103d702ff713e774e1402a747d8b8716d3f0f3e22da40166
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5264f65f6197752b185448ca1c94a977e
SHA182a019df4426710aa303afa7ac2d294c32ac246a
SHA256a44bacd33209e389dadf74af2eb437b20b21cfeb035ae586354dac53371e76c3
SHA512cd32e98e47a5da29c33fcc6f08f0a87b1bcc5ac595d8518da3db81f4dbba256e47acdb5f60b5f02075de987c89fdcd2a60fde1fff17d385812402ab45b2da358
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD530903d5ef4eb0ebeb5efb2cefbed368f
SHA10b0210bf02a8b8ed0802583a135c33ff2cbe3d08
SHA256106bbdbe535d8af10c33720928c2d146d58d0108e6f34dd52cc3012d944f40fa
SHA51277e4fbe91bf8ac9e982c8e7aaab3bb5c444959c4fb276711341c9b14a0480df9f977443929ceb35cff8700e0d824752219e7bba4192aeeb499435a5d4e6c5693
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD539d506abb36c1cb72124060b985fa494
SHA1ed0813fb94cf190247b376cbbcc53bc7304017aa
SHA2565f2f783578b7e093d056814d66c50b76852a2991e6bfe4a03424dc27df47993d
SHA512ddcaac04c9083b077241c80040ce0a2265040961a771dd013ab611054f68f57e0c829fbc968cdcc84fffcb33595f0027f6e885f365b66c22192ef5d82a388ec1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5ae4f80e53073d55b57b18b71f04ebd3d
SHA16618f2f643d2f96f776c37084530c29704d5297c
SHA256b9c4eeb109ca6cbcc81d6e2ff454c995c3e202a9901bc87597872daf66fc3632
SHA5120f2e1721f793ccd2ba0c3dee2efe6ee08dfd95bf3bf9cb9bc2cac009517f3ab1ee614b14dfc86c933daf4b9dc09fb095956fb9a86662a10e02bffad088868c51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f27e75bc133f148627a9c6b34a72515c
SHA1087c9d66c7e18ec294393f12d9c009866d753e96
SHA25675f6fac71250f0f443e440311a40d7e010b9be6888b8e6d01cf8e5f6a240b9ad
SHA512c55b05146acfcf2d6c2a4dc4bd6c631e2638cff83fe98cda2e5c06c0f5e6f73189119bf27dd993ff300519de542e1fea6542be2b1c09e79d5f000f06e573ee0a
-
\??\pipe\LOCAL\crashpad_4632_TMJPUCVGCDZFJQFQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e