Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
Resource
win7-20240215-en
General
-
Target
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe
-
Size
1.8MB
-
MD5
cb4ba6416cde10601ecab0c757c5e03e
-
SHA1
ec26d878ac04f33de2966a3bf1a333c1b7bd3283
-
SHA256
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d
-
SHA512
72c163a50e9f29f6019be181ba38fadfde8788acc392815661754b785bb4829b11a520c1c318357259d0e5a1ed991100db145dfa1dc9d74fc5d2bca6055327d1
-
SSDEEP
24576:R3vL762VhZBJ905EmMyPnQxhe4427l9BoUj3QC/hR:R3P6UZTHMW
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exedescription ioc process File opened (read-only) \??\A: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\I: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\T: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\W: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\Z: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\E: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\H: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\L: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\M: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\N: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\O: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\U: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\X: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\G: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\J: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\Q: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\V: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\Y: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\B: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\K: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\P: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\R: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe File opened (read-only) \??\S: be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3000 msedge.exe 3000 msedge.exe 3992 msedge.exe 3992 msedge.exe 1644 identity_helper.exe 1644 identity_helper.exe 5804 msedge.exe 5804 msedge.exe 5804 msedge.exe 5804 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exebe0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exedescription pid process Token: SeDebugPrivilege 2280 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe Token: SeDebugPrivilege 2280 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe Token: SeDebugPrivilege 2168 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe Token: SeDebugPrivilege 2168 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exebe0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exemsedge.exedescription pid process target process PID 2280 wrote to memory of 2168 2280 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe PID 2280 wrote to memory of 2168 2280 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe PID 2280 wrote to memory of 2168 2280 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe PID 2168 wrote to memory of 3992 2168 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe msedge.exe PID 2168 wrote to memory of 3992 2168 be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe msedge.exe PID 3992 wrote to memory of 1652 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1652 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 4384 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 3000 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 3000 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 848 3992 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe"C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe"C:\Users\Admin\AppData\Local\Temp\be0173862bf8aeb4a4b2cbac206b9696bfd367f84ee70d25b1138fdfa04a208d.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa338046f8,0x7ffa33804708,0x7ffa338047184⤵PID:1652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:24⤵PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:84⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵PID:2440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:14⤵PID:2804
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:84⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:14⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:14⤵PID:972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:14⤵PID:2816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:14⤵PID:608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:14⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:14⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:14⤵PID:5716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:14⤵PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,17346153068997834673,10138825650673133069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:5804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3120
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6996feb1-52b9-4144-b7b7-59dc04169b10.tmpFilesize
11KB
MD5e97706012906d86d6349fe9aa0e63716
SHA1b0bc503578f3878ec4601915af3e380cdd5d5c1c
SHA256031374113b0bd3f16db3335796d47e3f62c530014d2445c2aeba54bfea06299c
SHA512be2991f9f4ab287c1cb4fe87070c53008644bf68b9b539c325a062e1608e8a2ed0bacbc4cadd9a0ad610f933e4f82eaece4e0a5fd2506298220ffb26ec0b2aa1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5cf441e9ccdc624961722049c12702228
SHA1126c1ad5d2e25fd30d1c3c9f81eb99451a1aea1e
SHA256992fc8452f683a4477c64c4ed91fce6fa08cbd4336f5fce7eb85cdfe6f84bc09
SHA5125e339bfb3e03eb3ddb2bc16b3aa92cc9a0f79f9680c74d3355754353cc5266f1cbfeb115e4dd8842d28c9a854e299f1fb78bfb611e7ecdb4184d91fbbc0534d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59e9fa043dbac8a7806e89062c2c08f3a
SHA158414c7d34bf37d1daf7f69b4e9476ed851ca54f
SHA256ce4109244bd73989e570302b9d1d2fece3f069b92c34fbc0bfcc3c380f405c8b
SHA512f41c77c652695e7d288e120b22e207fb81c2662d935ac92019854fa829a4f5b6b739335c339be8fb52d25a0d09be4eceb59f526c4c50e21014cf4ef100f1dac9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_3992_PFSZQQUIOASQLHQPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2168-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2168-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2168-6-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/2280-0-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/2280-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2280-2-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/2280-1-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB