blackmoon | c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a

Analysis

max time kernel
147s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
Size

4.5MB
MD5

6ec4a53822b67469ddb216ec10df6ab7
SHA1

9faae3d74503b922aa56552259ae0d8c5f9f51c1
SHA256

c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a
SHA512

bd393473a6c05003a14b7b8b1ddb6fa908e904d2a1304a2131772b772d6a3716e90bb35802b7c52dc9178a09424eaaa215b9f0fc39b5558da9c2b1f187a541fa
SSDEEP

49152:xNIldFEedDqnroHO8wOZHOlvbuambSIN+6a9AknH:xNIPcnsHtvZHUbmb/+TK

Score

10^/10

blackmoon banker discovery spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 31 IoCs

resource	yara_rule
behavioral2/memory/4424-0-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-1-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-29-0x0000000002730000-0x0000000002741000-memory.dmp	family_blackmoon
behavioral2/memory/4424-28-0x0000000002730000-0x0000000002741000-memory.dmp	family_blackmoon
behavioral2/memory/4424-34-0x0000000002730000-0x0000000002741000-memory.dmp	family_blackmoon
behavioral2/memory/4424-11-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-30-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-12-0x0000000002660000-0x000000000266F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-35-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/4424-37-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-38-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-39-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-47-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/2392-51-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/4424-49-0x0000000002760000-0x000000000298F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-52-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-86-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-90-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	family_blackmoon
behavioral2/memory/2392-85-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	family_blackmoon
behavioral2/memory/2392-84-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	family_blackmoon
behavioral2/memory/2392-77-0x0000000002650000-0x000000000265F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-63-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-91-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/2392-93-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-94-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-95-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-103-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/2392-105-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-106-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/2392-108-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon
behavioral2/memory/2392-109-0x0000000002750000-0x000000000297F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000233e7-23.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Loads dropped DLL 2 IoCs

pid	Process
4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4424-24-0x0000000074150000-0x000000007418C000-memory.dmp	upx
behavioral2/memory/4424-29-0x0000000002730000-0x0000000002741000-memory.dmp	upx
behavioral2/memory/4424-28-0x0000000002730000-0x0000000002741000-memory.dmp	upx
behavioral2/memory/4424-34-0x0000000002730000-0x0000000002741000-memory.dmp	upx
behavioral2/memory/4424-25-0x0000000002730000-0x0000000002741000-memory.dmp	upx
behavioral2/files/0x00070000000233e7-23.dat	upx
behavioral2/memory/4424-36-0x0000000074150000-0x000000007418C000-memory.dmp	upx
behavioral2/memory/4424-50-0x0000000074150000-0x000000007418C000-memory.dmp	upx
behavioral2/memory/2392-76-0x0000000073F00000-0x0000000073F3C000-memory.dmp	upx
behavioral2/memory/2392-90-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	upx
behavioral2/memory/2392-85-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	upx
behavioral2/memory/2392-84-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	upx
behavioral2/memory/2392-81-0x0000000002AB0000-0x0000000002AC1000-memory.dmp	upx
behavioral2/memory/2392-92-0x0000000073F00000-0x0000000073F3C000-memory.dmp	upx
behavioral2/memory/2392-104-0x0000000073F00000-0x0000000073F3C000-memory.dmp	upx
behavioral2/memory/2392-107-0x0000000073F00000-0x0000000073F3C000-memory.dmp	upx
behavioral2/memory/2392-113-0x0000000073F00000-0x0000000073F3C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\Q:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\V:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\J:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\K:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\L:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\M:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\N:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\O:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\U:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\X:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\Y:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\P:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\A:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\B:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\E:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\G:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\H:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\R:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\S:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\T:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\W:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened (read-only)	\??\Z:	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcp30.dll	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.dll	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvcp30.ico	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\msvcp30.ini	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\msvcp30.dll	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File created	C:\Windows\msvcp30.ico	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File opened for modification	C:\Windows\msvcp30.ini	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
File created	C:\Windows\msvcp30.dll	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
1608	msedge.exe
1608	msedge.exe
112	msedge.exe
112	msedge.exe
2404	identity_helper.exe
2404	identity_helper.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
Token: SeDebugPrivilege	2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 2392	4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe	91
PID 4424 wrote to memory of 2392	4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe	91
PID 4424 wrote to memory of 2392	4424	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe	91
PID 2392 wrote to memory of 112	2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe	93
PID 2392 wrote to memory of 112	2392	c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe	93
PID 112 wrote to memory of 3204	112	msedge.exe	94
PID 112 wrote to memory of 3204	112	msedge.exe	94
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 4500	112	msedge.exe	95
PID 112 wrote to memory of 1608	112	msedge.exe	96
PID 112 wrote to memory of 1608	112	msedge.exe	96
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97
PID 112 wrote to memory of 3920	112	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
"C:\Users\Admin\AppData\Local\Temp\c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe
  "C:\Users\Admin\AppData\Local\Temp\c0c447412fa391ccb526e41bea8de2ecac0172ae1b053ce5ff53878ab55bb90a.exe" Master
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.30my.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4d8e46f8,0x7ffc4d8e4708,0x7ffc4d8e4718
      4⤵
      PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
      4⤵
      PID:5000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
      4⤵
      PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
      4⤵
      PID:1728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
      4⤵
      PID:2504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12458010824552847040,4636049007857278088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
      4⤵
      PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
125aa62703b34d2771acb0b275080c3f

SHA1
b16da1ba31e7a4d380842840d204e58e3dfdb78b

SHA256
da8e3720f345f0f3708e708e99ee257f373504ecda5f654553175287ae793fa9

SHA512
2c993faf4eb6684dfbec6c849be7381e7922ddf1ff7af90f53bccd40abeb2cfa4864a44da52f68c73e7ded094d1edd28715e2419cc372b5e172a890d5646da20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4d0ed8b628a5967b3a060b36b4866c2

SHA1
cf5cf9c5d877856fdd430391db3863b0be07b151

SHA256
581a18338b410351c0b7cfc2aad7e2b4ed933c200780f17565e1ee6dd05c9c50

SHA512
3479de5bba6ca93d2ef08fdcca6358e0542b1d4f4d257c30e41e0e3576dc9d81e279a77397075155d98bb321a4d637d8e57907a90b822278827995f1d9f36ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
397c376936aaac57e6a2f2d51a23099c

SHA1
bc1fbf6f85dfe0384febde28be2930afb92b8e8a

SHA256
17ed958d9a454c5d7ca3d7ad629776eba1429f3b3250f5ecd923bed6a7bc54c0

SHA512
740358971af50223029e6ef4da14a88c6d484e1d017811613d671ef2e4c9dabee582014cc49a48f96a834447699b7243fcab17f90b7d7bfcebd4f3ad4cfde56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2755123dcca8b34085bc746863192b80

SHA1
4e51396769d8fd180c3fcaf832ac8a2129d4c65f

SHA256
02724a6c9658d3269801c7f633e11537bda6db558cfb13c5b648829f21ec686c

SHA512
1993c8928c47732f8af1cc68d395cd2473bec3ed7b79a9c55f6328de01b5b9418a0b2d074ed185a395bcf89868475be46bd217d01f3590362d37c627ce743ee4

Download Submit
C:\Users\Admin\Desktop\Ä§Óò·¢²¼Íø.url

Filesize
120B

MD5
5c8c7c3ce78aa0a9d56f96ab77676682

SHA1
1a591e2d34152149274f46d754174aa7a7bb2694

SHA256
40a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806

SHA512
8ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77

Download Submit
C:\Windows\SysWOW64\msvcp30.dll

Filesize
93KB

MD5
a6c4f055c797a43def0a92e5a85923a7

SHA1
efaa9c3a065aff6a64066f76e7c77ffcaaf779b2

SHA256
73bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9

SHA512
d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957

Download Submit
C:\Windows\SysWOW64\msvcp30.ini

Filesize
18B

MD5
2cd7883782c594d2e2654f8fe988fcbe

SHA1
042bcb87c29e901d70c0ad0f8fa53e0338c569fc

SHA256
aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037

SHA512
88413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360

Download Submit
C:\Windows\msvcp30.ico

Filesize
264KB

MD5
bdccf3c42497089ae7001328305906ed

SHA1
cf6f28e09d98ebe516b408e6b15f03f5891fdc79

SHA256
5f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2

SHA512
d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d

Download Submit
memory/2392-103-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/2392-91-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/2392-113-0x0000000073F00000-0x0000000073F3C000-memory.dmp

Filesize
240KB

Download
memory/2392-109-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-108-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-106-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/2392-51-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-107-0x0000000073F00000-0x0000000073F3C000-memory.dmp

Filesize
240KB

Download
memory/2392-105-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-52-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-76-0x0000000073F00000-0x0000000073F3C000-memory.dmp

Filesize
240KB

Download
memory/2392-86-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-90-0x0000000002AB0000-0x0000000002AC1000-memory.dmp

Filesize
68KB

Download
memory/2392-85-0x0000000002AB0000-0x0000000002AC1000-memory.dmp

Filesize
68KB

Download
memory/2392-84-0x0000000002AB0000-0x0000000002AC1000-memory.dmp

Filesize
68KB

Download
memory/2392-81-0x0000000002AB0000-0x0000000002AC1000-memory.dmp

Filesize
68KB

Download
memory/2392-77-0x0000000002650000-0x000000000265F000-memory.dmp

Filesize
60KB

Download
memory/2392-75-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2392-104-0x0000000073F00000-0x0000000073F3C000-memory.dmp

Filesize
240KB

Download
memory/2392-63-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-102-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2392-95-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-92-0x0000000073F00000-0x0000000073F3C000-memory.dmp

Filesize
240KB

Download
memory/2392-94-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/2392-93-0x0000000002750000-0x000000000297F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-38-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-12-0x0000000002660000-0x000000000266F000-memory.dmp

Filesize
60KB

Download
memory/4424-36-0x0000000074150000-0x000000007418C000-memory.dmp

Filesize
240KB

Download
memory/4424-35-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/4424-0-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-49-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-50-0x0000000074150000-0x000000007418C000-memory.dmp

Filesize
240KB

Download
memory/4424-47-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/4424-39-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-46-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4424-11-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-30-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-37-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download
memory/4424-25-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/4424-34-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/4424-28-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/4424-29-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/4424-24-0x0000000074150000-0x000000007418C000-memory.dmp

Filesize
240KB

Download
memory/4424-10-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4424-1-0x0000000002760000-0x000000000298F000-memory.dmp

Filesize
2.2MB

Download