metasploit | be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
Size

1.8MB
MD5

cb4ba6416cde10601ecab0c757c5e03e
SHA1

ec26d878ac04f33de2966a3bf1a333c1b7bd3283
SHA256

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d
SHA512

72c163a50e9f29f6019be181ba38fadfde8788acc392815661754b785bb4829b11a520c1c318357259d0e5a1ed991100db145dfa1dc9d74fc5d2bca6055327d1
SSDEEP

24576:R3vL762VhZBJ905EmMyPnQxhe4427l9BoUj3QC/hR:R3P6UZTHMW

Score

10^/10

metasploit backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

1.15.12.73:4567

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 1 IoCs

Processes:

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

description	ioc	process
File opened (read-only)	\??\A:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\I:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\T:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\W:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\Z:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\E:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\H:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\L:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\M:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\N:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\O:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\U:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\X:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\G:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\J:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\Q:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\V:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\Y:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\B:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\K:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\P:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\R:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
File opened (read-only)	\??\S:	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3000	msedge.exe
3000	msedge.exe
3992	msedge.exe
3992	msedge.exe
1644	identity_helper.exe
1644	identity_helper.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exebe0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

description	pid	process
Token: SeDebugPrivilege	2280	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
Token: SeDebugPrivilege	2280	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
Token: SeDebugPrivilege	2168	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
Token: SeDebugPrivilege	2168	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exebe0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exemsedge.exe

description	pid	process	target process
PID 2280 wrote to memory of 2168	2280	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
PID 2280 wrote to memory of 2168	2280	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
PID 2280 wrote to memory of 2168	2280	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
PID 2168 wrote to memory of 3992	2168	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe	msedge.exe
PID 2168 wrote to memory of 3992	2168	be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe	msedge.exe
PID 3992 wrote to memory of 1652	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 1652	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 4384	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 3000	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 3000	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 848	3992	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
"C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
"C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe" Admin
2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa338046f8,0x7ffa33804708,0x7ffa33804718
4⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
4⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
4⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
4⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
4⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
4⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
4⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
4⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
4⤵
PID:608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
4⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
4⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
4⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
4⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6996feb1-52b9-4144-b7b7-59dc04169b10.tmp
Filesize
11KB

MD5
e97706012906d86d6349fe9aa0e63716

SHA1
b0bc503578f3878ec4601915af3e380cdd5d5c1c

SHA256
031374113b0bd3f16db3335796d47e3f62c530014d2445c2aeba54bfea06299c

SHA512
be2991f9f4ab287c1cb4fe87070c53008644bf68b9b539c325a062e1608e8a2ed0bacbc4cadd9a0ad610f933e4f82eaece4e0a5fd2506298220ffb26ec0b2aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cf441e9ccdc624961722049c12702228

SHA1
126c1ad5d2e25fd30d1c3c9f81eb99451a1aea1e

SHA256
992fc8452f683a4477c64c4ed91fce6fa08cbd4336f5fce7eb85cdfe6f84bc09

SHA512
5e339bfb3e03eb3ddb2bc16b3aa92cc9a0f79f9680c74d3355754353cc5266f1cbfeb115e4dd8842d28c9a854e299f1fb78bfb611e7ecdb4184d91fbbc0534d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9e9fa043dbac8a7806e89062c2c08f3a

SHA1
58414c7d34bf37d1daf7f69b4e9476ed851ca54f

SHA256
ce4109244bd73989e570302b9d1d2fece3f069b92c34fbc0bfcc3c380f405c8b

SHA512
f41c77c652695e7d288e120b22e207fb81c2662d935ac92019854fa829a4f5b6b739335c339be8fb52d25a0d09be4eceb59f526c4c50e21014cf4ef100f1dac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
\??\pipe\LOCAL\crashpad_3992_PFSZQQUIOASQLHQP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2168-11-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2168-9-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2168-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2280-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2280-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download