Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe
Resource
win7-20231129-en
General
-
Target
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe
-
Size
1.8MB
-
MD5
789d6f366212cbfed66f17d8c5ddfdf5
-
SHA1
4af75266f815629d268ba588f085e955182620ce
-
SHA256
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c
-
SHA512
0972a22c149d6b0c618ae20ff53c715d0a905b3d7c7499e4db0e199edf47e23eb05499ffc9f5b0a23d97b7ba71420471ffce4ba6308761cc11c814024bba49ad
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09HOGi9J3YiWdCMJ5QxmjwC/hR:/3d5ZQ1NxJIiW0MbQxA
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exedescription ioc process File opened (read-only) \??\E: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\L: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\X: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\S: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\U: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\Y: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\J: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\O: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\P: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\K: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\Q: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\T: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\W: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\B: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\H: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\I: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\N: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\R: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\V: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\Z: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\A: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\G: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe File opened (read-only) \??\M: e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1484 msedge.exe 1484 msedge.exe 2500 msedge.exe 2500 msedge.exe 4176 identity_helper.exe 4176 identity_helper.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exee67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exedescription pid process Token: SeDebugPrivilege 4464 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe Token: SeDebugPrivilege 4464 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe Token: SeDebugPrivilege 3224 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe Token: SeDebugPrivilege 3224 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exee67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exemsedge.exedescription pid process target process PID 4464 wrote to memory of 3224 4464 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe PID 4464 wrote to memory of 3224 4464 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe PID 4464 wrote to memory of 3224 4464 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe PID 3224 wrote to memory of 2500 3224 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe msedge.exe PID 3224 wrote to memory of 2500 3224 e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe msedge.exe PID 2500 wrote to memory of 1496 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 1496 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 3080 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 1484 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 1484 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2352 2500 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe"C:\Users\Admin\AppData\Local\Temp\e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe"C:\Users\Admin\AppData\Local\Temp\e67d387985a8f67c26617e565deca30d0f5f748bfe2641a1a1a0d3d2af2bf38c.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa083046f8,0x7ffa08304708,0x7ffa083047184⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1452 /prefetch:24⤵PID:3080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:84⤵PID:2352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵PID:1036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵PID:3528
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:84⤵PID:3656
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:14⤵PID:1716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:14⤵PID:1112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:14⤵PID:1920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:14⤵PID:1012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:14⤵PID:2588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:14⤵PID:404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:14⤵PID:3060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:14⤵PID:2540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,7485005372802485492,17277747844477359407,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6040 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2836
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56eecb5aa7f1543c7654482d80242ac2b
SHA172ad9da598e1ad01ca8bfabae7097345e244998d
SHA256fd78386256c9aa2774bf48fb4b27f34d9325142d60aad33d4650b209d807e981
SHA5127b38af5745fd5eb6e020d5f9945d127c74579575708727c2bb43b83f5b72510f4cb544e2da3ec6f67f739f0f872f14a8069a42b9a9819b8daaf6c1ea8068012b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52e6c0b927cfd74ac7b693a7e449c3dc1
SHA197af917acc2addf5c440c4a3592782f12482c86c
SHA256def3b386d944bbe19c1db985c90675cfee222262a31a35adeadc1af7b4329be0
SHA512121c837a56e32afa6047126455c699c099184c18542a79354faed5861c1d855759244d25e6daeeca0aa2f575ca88728f5a75bbb7d81dc268e540455e7cbf8cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e24183093b15b40bcfc2e73c67156bbf
SHA1ea2f5bb5ee85cc83cfd1e1ce146621f7f234986b
SHA2567534614501fc2a55d5f04fbde195a00dceb335221e9a087b8a3ea6f1dba00ff3
SHA51238cbb960293a34c094b2223e9deb2f105aa06d81a967b7d779b9269b968139292eac2e79423069dedca96b64d2b3b623d59f27b0e247554d02d94d6ee889760b
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_2500_HLOODLAFIELBUMTIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3224-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3224-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3224-6-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/4464-0-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/4464-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4464-2-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/4464-1-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB