metasploit | 26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4

General

Target

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
Size

1.8MB
MD5

5be1c8d0790b735d1545984386d5815e
SHA1

8cd41a99376903b5a80229412e7613c6058481fc
SHA256

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4
SHA512

357de79c81693860fdb12fbea737ee06cc50337b0e44c99e255d1d0bb1b4e5bc597a32d6d64a6ffea64d0868a5d9d33e0f3fbb777205c5d202a7c551ce817e6c
SSDEEP

24576:/3vLRdVhZBK8NogWYO090OGi9J3YiWdCMJ5QxmjwC/hR:/3d5ZQ1YxJIiW0MbQxA

Score

10^/10

metasploit backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 1 IoCs

Processes:

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

description	ioc	process
File opened (read-only)	\??\H:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\I:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\L:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\P:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\R:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\S:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\Y:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\A:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\E:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\J:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\U:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\Z:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\G:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\M:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\O:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\Q:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\V:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\X:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\B:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\K:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\N:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\T:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
File opened (read-only)	\??\W:	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
100	msedge.exe
100	msedge.exe
3944	msedge.exe
3944	msedge.exe
3528	identity_helper.exe
3528	identity_helper.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

description	pid	process
Token: SeDebugPrivilege	3932	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
Token: SeDebugPrivilege	3932	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
Token: SeDebugPrivilege	364	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
Token: SeDebugPrivilege	364	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exemsedge.exe

description	pid	process	target process
PID 3932 wrote to memory of 364	3932	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
PID 3932 wrote to memory of 364	3932	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
PID 3932 wrote to memory of 364	3932	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
PID 364 wrote to memory of 3944	364	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe	msedge.exe
PID 364 wrote to memory of 3944	364	26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe	msedge.exe
PID 3944 wrote to memory of 1588	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1588	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 1448	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 100	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 100	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe
PID 3944 wrote to memory of 4440	3944	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
"C:\Users\Admin\AppData\Local\Temp\26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe
"C:\Users\Admin\AppData\Local\Temp\26d2e5fe22606c4bbaf349fc01cd47b8cadca7f25cc4938aa695761c009380d4.exe" Admin
2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9301b46f8,0x7ff9301b4708,0x7ff9301b4718
4⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
4⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
4⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
4⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
4⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
4⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
4⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
4⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
4⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
4⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
4⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
4⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
4⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
4⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16743645969795504035,3277476846016965080,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5948 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83ae74bf8575e44e0c7315fed8046ba1

SHA1
27d4ea553cdaf82e37b57caf457b1486bd4b516d

SHA256
155dea61d1d10c219df9e64d499f0acc5c06b5ed921fe8703f6d34a65e602664

SHA512
cd4ada0830e9264d3429fb1a2071aa96d53ac07649e3059563e7a1d6776f9881138b3d8b6d2dcf251f8c680e4f25570ac84640917245b6224ea68d334615f49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0da3c1e7fe4aeb01734d3843a0609ac6

SHA1
6bc98dcff8b647a2b9b651b3ae141f8c1545190f

SHA256
a8db71c94fc99e75d5cdb5f33da53c4a9c0686e1ec49353cee2f154ff7abfbde

SHA512
2233ce389828ebd837f2b7242c248017289aea7421c4855966c6e983c5d9fe407e06e2990f0760702ef5ecf669e5ca8074aea36be7b5dc997a2ed3e5e02f416d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fec748c2a295f68346bc93cea3f8cdec

SHA1
37790f99f1a562472c81907d69cec65cf2303b4a

SHA256
405eb24e35624bbd7f3e7e33664ac9b6ecf0eef6bc3a27790b7c7d120b4a97c5

SHA512
c3e2dac8db03b021403d54e3f8bb8cbc27f65318af7651ce665e16735fd7421201e382e5eee4948f2548fc29205fec0ce19d145b6dbaa287ac9af340db84672f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
\??\pipe\LOCAL\crashpad_3944_ZZGKFIDBZXAACRCP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/364-11-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/364-9-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/364-6-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3932-0-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3932-4-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3932-3-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3932-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads