Analysis
-
max time kernel
69s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
KeePass-2.56-Setup.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
KeePass-2.56-Setup.exe
Resource
win10v2004-20240426-en
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ShInstUtil.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ShInstUtil.exe -
Executes dropped EXE 5 IoCs
Processes:
KeePass-2.56-Setup.tmpShInstUtil.exeShInstUtil.exeShInstUtil.exeKeePass.exepid process 5004 KeePass-2.56-Setup.tmp 4872 ShInstUtil.exe 4112 ShInstUtil.exe 3748 ShInstUtil.exe 1108 KeePass.exe -
Loads dropped DLL 9 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeKeePass.exepid process 4656 mscorsvw.exe 2776 mscorsvw.exe 2776 mscorsvw.exe 4348 mscorsvw.exe 3524 mscorsvw.exe 3524 mscorsvw.exe 2480 mscorsvw.exe 4720 mscorsvw.exe 1108 KeePass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ShInstUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeePass 2 PreLoad = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" --preload" ShInstUtil.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
Processes:
KeePass-2.56-Setup.tmpdescription ioc process File opened for modification C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC32.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-D7CHM.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-SDM40.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.exe KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.chm KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-67MG8.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-KRV40.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-0V27K.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-6IEDJ.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-EPLC0.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-2I9AK.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-F2H5C.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-1QSAD.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-OT6CL.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-MET01.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC64.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-320PS.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-9KO35.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-0U7HC.tmp KeePass-2.56-Setup.tmp -
Drops file in Windows directory 12 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\dc4-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b0-0\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1270-0\KeePass.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10fc-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\30f6c60da79eb8872c9c335ce775ac8e\KeePass.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1230-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ad8-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 12 IoCs
Processes:
KeePass-2.56-Setup.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\",0" KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\ = "&Open with KeePass Password Safe" KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\ = "KeePass Database" KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\AlwaysShowExt KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" \"%1\"" KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx\ = "kdbxfile" KeePass-2.56-Setup.tmp -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
KeePass-2.56-Setup.tmpmsedge.exemsedge.exeidentity_helper.exepid process 5004 KeePass-2.56-Setup.tmp 5004 KeePass-2.56-Setup.tmp 3708 msedge.exe 3708 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 4444 identity_helper.exe 4444 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KeePass.exedescription pid process Token: SeDebugPrivilege 1108 KeePass.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
KeePass-2.56-Setup.tmpmsedge.exeKeePass.exepid process 5004 KeePass-2.56-Setup.tmp 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1108 KeePass.exe 1108 KeePass.exe 1108 KeePass.exe 1108 KeePass.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exeKeePass.exepid process 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1624 msedge.exe 1108 KeePass.exe 1108 KeePass.exe 1108 KeePass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KeePass-2.56-Setup.exeKeePass-2.56-Setup.tmpShInstUtil.exemsedge.exedescription pid process target process PID 1592 wrote to memory of 5004 1592 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 1592 wrote to memory of 5004 1592 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 1592 wrote to memory of 5004 1592 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 5004 wrote to memory of 4872 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 4872 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 4872 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 4112 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 4112 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 4112 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 3748 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 3748 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 5004 wrote to memory of 3748 5004 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 3748 wrote to memory of 4536 3748 ShInstUtil.exe ngen.exe PID 3748 wrote to memory of 4536 3748 ShInstUtil.exe ngen.exe PID 3748 wrote to memory of 4636 3748 ShInstUtil.exe ngen.exe PID 3748 wrote to memory of 4636 3748 ShInstUtil.exe ngen.exe PID 5004 wrote to memory of 1108 5004 KeePass-2.56-Setup.tmp KeePass.exe PID 5004 wrote to memory of 1108 5004 KeePass-2.56-Setup.tmp KeePass.exe PID 5004 wrote to memory of 1624 5004 KeePass-2.56-Setup.tmp msedge.exe PID 5004 wrote to memory of 1624 5004 KeePass-2.56-Setup.tmp msedge.exe PID 1624 wrote to memory of 220 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 220 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 4740 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 3708 1624 msedge.exe msedge.exe PID 1624 wrote to memory of 3708 1624 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmp" /SL5="$B0066,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2bc -Pipe 260 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 27c -Pipe 2c4 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://keepass.info/plugins.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8a0546f8,0x7ffd8a054708,0x7ffd8a0547184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5219790294599542468,3426417887359182070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58afa4debfd32a854e8f634bf4bd0bf0e
SHA1062db43f8bf81cb1c894b21b02ca95f547b9aae4
SHA256fa751b79361708fcda659ff24acfad083be655d2ec689362eb613a5f70871029
SHA5128a34c6eb298b8e4be31d632db22861f15c35d9afece1a8882bc65e8ef1de6d22f153775fedcc9908917127e5f706615ce105c710f9562cb9711371b5035e0f1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51a6ac72df186dd1579133883679d00ae
SHA149046e9f2e763b6c4f20d4487252cdd442449045
SHA256f56c63bb0b0874506ab188be1a32ea0055636726431659d172a93f200ac57f22
SHA512244a15831fa08ec796ad24cf37e5678e70f23076f15dcc6685a968968e2a165033e5ffcfa56719d96a55d9e71ca98845ecc518f88ed6352b169d1bf48ed3d746
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD54c73d23474eae4051f70eefcee7d696f
SHA1c7c9f2d2d58d9d9283bd54a32864e9ebfc4716d8
SHA25693c33243c5db9ac15c48514c60e8ddf16290eed33ec0e59bbbd90d28e05b70a2
SHA512364b2b3188c6427981b531aeabcabf3c43762c25849149cef0256e9ac8fa4c045fe98f87f58def2587f7478c5d263b68694088e1279a95c4065331f333cdd65f
-
C:\Users\Admin\AppData\Local\Temp\is-TFRNG.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\30f6c60da79eb8872c9c335ce775ac8e\KeePass.ni.exeFilesize
11.4MB
MD53282a854ee1f2738d4f0bb582a100d00
SHA16ef44376f8ee8d2f19fd2415601430c72e8dfadc
SHA2560be1b43348ba24fa57955ea17afb8c8d210740966abededd632fd00d98e2bf79
SHA512dcf65f53f9494e0228dc3b907857a2a3d4afffbcac5aa26a388cbaa546b70277e45dbfda48c2642903b764bdce2a200452d1972810e6b8e70043b62ba3c8a911
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\30f6c60da79eb8872c9c335ce775ac8e\KeePass.ni.exe.auxFilesize
1KB
MD57da5b0fea9ff82c5f38332290b66665c
SHA1dae2049e86b35d9d84daf2f25140cebb49b965f1
SHA2562fb034e6ee9c6bbdcfbe6469fbd56f8d2ebdaa5be72558f9f8344e40275eabfc
SHA512b55453046d6a4e474002f6b61e933f6e12a9a686494a5cd8b82cbe4d419bbb69904d3d0688fc7df1cd3072419d6733d07ed50770064a967d4e89ca06ac485517
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD5b0bd1b2c367441f420d9cc270cf7fab6
SHA1bdd65767f9c8047125a86b66b5678d8d72a76911
SHA256447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa
SHA512551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5688ac15ac387cbac93d705be85b08492
SHA1a4fabce08bbe0fee991a8a1a8e8e62230f360ff2
SHA256ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470
SHA512a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dllFilesize
3.0MB
MD53385fdacfda1fc77da651550a705936d
SHA1207023bf3b3ff2c93e9368ba018d32bb11e47a8a
SHA25644a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec
SHA512bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dllFilesize
314KB
MD550b28be2b84f9dd1258a346525f8c2e5
SHA1203abebaa5c22c9f6ac099d020711669e6655ed8
SHA2566c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac
SHA512d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD535738b026183e92c1f7a6344cfa189fd
SHA1ccc1510ef4a88a010087321b8af89f0c0c29b6d8
SHA2564075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb
SHA512ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dllFilesize
986KB
MD5e4b53e736786edcfbfc70f87c5ef4aad
SHA162cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5
SHA2569ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46
SHA51242a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.auxFilesize
912B
MD5255a843ca54e88fd16d2befcc1bafb7a
SHA1aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9
SHA2568cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed
SHA512666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45
-
\??\pipe\LOCAL\crashpad_1624_WCASNPYJOIOSLWNGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1108-166-0x0000000000760000-0x0000000000A88000-memory.dmpFilesize
3.2MB
-
memory/1108-201-0x0000000020430000-0x000000002049E000-memory.dmpFilesize
440KB
-
memory/1592-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1592-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1592-8-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2480-133-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/2776-85-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/3484-62-0x00000230D2370000-0x00000230D23C0000-memory.dmpFilesize
320KB
-
memory/3484-60-0x00000230D26A0000-0x00000230D29C8000-memory.dmpFilesize
3.2MB
-
memory/3484-66-0x00000230BA320000-0x00000230BA342000-memory.dmpFilesize
136KB
-
memory/3484-65-0x00000230D2480000-0x00000230D2532000-memory.dmpFilesize
712KB
-
memory/3484-64-0x00000230B85C0000-0x00000230B85E2000-memory.dmpFilesize
136KB
-
memory/3484-63-0x00000230D3A80000-0x00000230D3C06000-memory.dmpFilesize
1.5MB
-
memory/3524-118-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/4348-100-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/4656-67-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB
-
memory/4720-149-0x0000064488000000-0x0000064488B64000-memory.dmpFilesize
11.4MB
-
memory/5004-179-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-15-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-9-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5004-6-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB