Resubmissions
16-06-2024 00:37
240616-ayjhvs1hmh 814-06-2024 16:58
240614-vgwr3ssgkn 814-06-2024 16:57
240614-vggm6ayfrd 812-06-2024 16:08
240612-tlcpbs1crg 8Analysis
-
max time kernel
81s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 00:37
Behavioral task
behavioral1
Sample
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
Resource
win10v2004-20240611-en
General
-
Target
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
-
Size
856KB
-
MD5
733766ff5495f04d82744291993eb69e
-
SHA1
2830778313fd7fccc6c8129d419b1757368078fd
-
SHA256
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef
-
SHA512
cf3bf548e743894888ba3ea191a289f09d9f36215e1306aa21e61f0ea81473eec6df01a6e7f05f9251ecb9cc71c654934a53d4916c4152bf8fa4a95119e98cf2
-
SSDEEP
12288:0zqKbHTadreUv6e2faqsW8lEsbjwepi8K2cE4b5wxH5/uek6JA6QfmpFiMtMv7u3:yPaFnCec8vj1p7pc5bQZ/uesmoqt7jF
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\csrss.dll acprotect -
Loads dropped DLL 1 IoCs
Processes:
pid process 1028 -
Processes:
resource yara_rule behavioral1/memory/1544-0-0x00000000009D0000-0x0000000000AB4000-memory.dmp upx behavioral1/memory/1544-2-0x0000000010000000-0x00000000100B8000-memory.dmp upx behavioral1/memory/1544-5-0x0000000010000000-0x00000000100B8000-memory.dmp upx behavioral1/memory/1544-6-0x0000000010000000-0x00000000100B8000-memory.dmp upx behavioral1/memory/1544-7-0x0000000010000000-0x00000000100B8000-memory.dmp upx behavioral1/memory/1544-9-0x0000000010000000-0x00000000100B8000-memory.dmp upx behavioral1/memory/1544-10-0x00000000009D0000-0x0000000000AB4000-memory.dmp upx C:\Windows\csrss.dll upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exedescription ioc process File opened for modification \??\PhysicalDrive0 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exepid process 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe -
Drops file in Windows directory 3 IoCs
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exedescription ioc process File opened for modification \??\c:\windows\csrss.exe c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe File opened for modification \??\c:\windows\csrss.dll c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe File created \??\c:\windows\csrss.dll c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629718638726631" msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{9AF48081-C2DB-4B51-A893-6471E7F8BF35} msedge.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 3124 msedge.exe 3124 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exedescription pid process Token: SeSecurityPrivilege 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe Token: SeRestorePrivilege 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe Token: SeTakeOwnershipPrivilege 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exemsedge.exedescription pid process target process PID 1544 wrote to memory of 4024 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe msedge.exe PID 1544 wrote to memory of 4024 1544 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe msedge.exe PID 3124 wrote to memory of 4304 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 4304 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2208 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3600 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3600 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 3172 3124 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"1⤵
- Sets DLL path for service in the registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/9742⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1408,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=1412,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5376,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5500,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5516,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6012,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffe09c94ef8,0x7ffe09c94f04,0x7ffe09c94f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2392,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1904,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2548,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4016,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4016,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4772,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5092,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5116,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5472,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5608,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5584,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4580,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4544,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3580,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD5436d81c7ab1cdb4a736dc4a4b767daf6
SHA19f17e3a3142e8b20f822da27a2f30e9f5b3aac04
SHA25692969cac136ee7ff8f1b8106eaa67a07f168afc320d67525614d1b6c202419a1
SHA5128c355c0ccc17e97a7ccc721be188a1d8470aff66d914915461e19d328b976cfdb8709b462bd0ecb193488246e9340c4868ef77eafd249df7e1bfec0367b4d2ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
66KB
MD52091d0e7140d7c00ebffc80d1fa01932
SHA12bfd04b3cd14b568983ea81a6f588ee2443d1617
SHA256a453e55bd9aa728f4ac31aafefddf02ed8e06435dc908d1f973c32fe6ad5c6c0
SHA51261ebb1e781b9afaf9d4f58e3a1cf7c9b9ebea9d74f9ec816476606c4f2d9deec5e1c57401d5eecfbd95b126c1a5cb0b5843018a18323a6505c7dfeb88837206f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
66KB
MD54fea3ee7fdf2f337eed9715582d0ce1a
SHA123a3a22b074c73bee23a12a683a9ad4cd793d14a
SHA256f466529468f88c9c55fa92e690bdb04f9fc3a8e157ab9fc4507324aea925d98f
SHA51281017ef2123bbe0b6d6f945c08b0ba77d8014c21734c33a49bbfacb91c4fe89bf5c9f2f0a2b47f97e36245bfb07d7909fea23da5b7a142c6b91cdd2ce772383e
-
C:\Windows\csrss.dllFilesize
655KB
MD57dd38f8951c2fa66a1291c7d297e1947
SHA1a3feb1be32160c5196bba30830c1543958ac0045
SHA256c6e185606e9ed62db354b8b8a298f470c01dcce8c5a4f409bfc5b918b5fd1c09
SHA512cf6575bbcf7c8442e98d3e05519c79eb58a1e268acd1b66ce1fd8e9e8192a3791ce02474e5a41c4848644806dbeccb40dba93e6ad57bb37a5fa78528df0536f6
-
\??\pipe\crashpad_3124_KDQWISZJXOVNJEGOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1544-6-0x0000000010000000-0x00000000100B8000-memory.dmpFilesize
736KB
-
memory/1544-10-0x00000000009D0000-0x0000000000AB4000-memory.dmpFilesize
912KB
-
memory/1544-9-0x0000000010000000-0x00000000100B8000-memory.dmpFilesize
736KB
-
memory/1544-7-0x0000000010000000-0x00000000100B8000-memory.dmpFilesize
736KB
-
memory/1544-0-0x00000000009D0000-0x0000000000AB4000-memory.dmpFilesize
912KB
-
memory/1544-5-0x0000000010000000-0x00000000100B8000-memory.dmpFilesize
736KB
-
memory/1544-2-0x0000000010000000-0x00000000100B8000-memory.dmpFilesize
736KB