Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
Resource
win7-20240508-en
General
-
Target
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe
-
Size
1.8MB
-
MD5
ab87070c931dcb7a84edc25cba2477e9
-
SHA1
c16dbe72b4976d1671be7da68a16fb85868437d9
-
SHA256
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c
-
SHA512
2f291823463d381ebd39ac1c528c52785eeb51df367c32cd5d691230503608478b339ffda466e7392e1f8f73acca250b470896bf43703c0f5074dd594ac4d189
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09QOGi9JxHJR4tlF7EOcJPbB7NY5S6ezjwC/hR:/3d5ZQ1sxJlJRWqPF7NN/
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exedescription ioc process File opened (read-only) \??\A: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\S: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\W: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\B: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\E: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\O: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\Q: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\U: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\V: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\Y: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\J: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\K: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\L: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\P: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\R: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\X: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\Z: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\G: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\H: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\I: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\M: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\N: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe File opened (read-only) \??\T: d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3808 msedge.exe 3808 msedge.exe 2704 msedge.exe 2704 msedge.exe 3416 identity_helper.exe 3416 identity_helper.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exed523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exedescription pid process Token: SeDebugPrivilege 4236 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe Token: SeDebugPrivilege 4236 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe Token: SeDebugPrivilege 2140 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe Token: SeDebugPrivilege 2140 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exed523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exemsedge.exedescription pid process target process PID 4236 wrote to memory of 2140 4236 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe PID 4236 wrote to memory of 2140 4236 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe PID 4236 wrote to memory of 2140 4236 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe PID 2140 wrote to memory of 2704 2140 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe msedge.exe PID 2140 wrote to memory of 2704 2140 d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe msedge.exe PID 2704 wrote to memory of 4768 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4768 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 956 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3808 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3808 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 4044 2704 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe"C:\Users\Admin\AppData\Local\Temp\d523546025b845dcfcbd8ce8e0d5a52366a3303fa8d7d8046e5319845cac8a2c.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa083046f8,0x7ffa08304708,0x7ffa083047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7922601214668654328,1128602523246309030,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5bc56974ecf3c94fddffaf93fbb420122
SHA1aab4ba09649eb6e9544e0168183ccd148579525c
SHA256a0acbddddc0d931370eacaaa61b9ba4b4ea4ddd867284ea2b5f8f2931f0512e6
SHA51285db1c979cdec55655ee6b1143f8250b95c2b3448a71bb0667172345ce9ac3c95990eec86b10374fce6e85daf1fab6a61dba6a7b35e4965d438791490c250b1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5878aac9489c7b8d48d4ca5ae5fed6580
SHA168d94414e1e3dcdcc0c491de93203d0d6a766486
SHA256b0fecdd1d5b8f48fe5a5b01a369e10817360c38ec7f052564bf2f3c5e05f7adc
SHA5127285d18d3541a4911769b77797cb59c8820af1eb5b1d2736c078fc27b0a5ec64c875ab158d6676ffb020eeeba6b122054d1b1950a7023e412d6598e8e0bbd3a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58799271fccab59938c94351eed3a478a
SHA1fe8a2bd8979cd56551a41a218ef4a0c13752a24d
SHA25650dd4669797385e4b2ecf36f46b6957a56cb8d5faf5284bff209aba87482133f
SHA51205578cbf150cd6763cb3ccc81804f6e2072f36186f89a1f66a649eac7a1a57bd4e79246ceb1493c2a54d9fd46aedad9a43f07f072e2b4018128c9a887b9d8f2d
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_2704_YTAFGYXQUNICNBJZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2140-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2140-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2140-6-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/4236-0-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/4236-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4236-2-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/4236-1-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB