Analysis
-
max time kernel
47s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 09:04
Static task
static1
Behavioral task
behavioral1
Sample
835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe
-
Size
9.6MB
-
MD5
a75e524f17faa4befe802508e16719c0
-
SHA1
32ff457d4a1c7d11e6a9062bda7e50765edb8de8
-
SHA256
835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89
-
SHA512
40f4b9b98875349515f51cbc242147818de73488a481cd079622249d97471d0e6a714d10cc3d36a495dd4905c5ac5b62d842b7b84ed63d01eb8584e76dd01d9c
-
SSDEEP
196608:SONojzJF63e3CLEfX3cxLlUiBCfNxBolZkiACy7o:SONojzJF6vEfAZP4PBol1ACy7
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\154494417.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\264337264.exe family_phorphiex -
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
4DE1.exe154494417.exesysmablsvr.exe264337264.exepid process 1776 4DE1.exe 1188 154494417.exe 4600 sysmablsvr.exe 4692 264337264.exe -
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154494417.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" 154494417.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
154494417.exedescription ioc process File created C:\Windows\sysmablsvr.exe 154494417.exe File opened for modification C:\Windows\sysmablsvr.exe 154494417.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exemsedge.exemsedge.exeidentity_helper.exepid process 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 2244 msedge.exe 2244 msedge.exe 4492 msedge.exe 4492 msedge.exe 3396 identity_helper.exe 3396 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe4DE1.exe154494417.exemsedge.exedescription pid process target process PID 2504 wrote to memory of 1776 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 4DE1.exe PID 2504 wrote to memory of 1776 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 4DE1.exe PID 2504 wrote to memory of 1776 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe 4DE1.exe PID 1776 wrote to memory of 1188 1776 4DE1.exe 154494417.exe PID 1776 wrote to memory of 1188 1776 4DE1.exe 154494417.exe PID 1776 wrote to memory of 1188 1776 4DE1.exe 154494417.exe PID 1188 wrote to memory of 4600 1188 154494417.exe sysmablsvr.exe PID 1188 wrote to memory of 4600 1188 154494417.exe sysmablsvr.exe PID 1188 wrote to memory of 4600 1188 154494417.exe sysmablsvr.exe PID 2504 wrote to memory of 4492 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe msedge.exe PID 2504 wrote to memory of 4492 2504 835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe msedge.exe PID 4492 wrote to memory of 4968 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4968 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 3468 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 2244 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 2244 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 4820 4492 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\835fa1c2fbba3005e453bab1a36b9a9c77d345197553ade815e5b4e976487e89_NeikiAnalytics.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4DE1.exe"C:\Users\Admin\AppData\Local\Temp\4DE1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\154494417.exeC:\Users\Admin\AppData\Local\Temp\154494417.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
-
C:\Users\Admin\AppData\Local\Temp\264337264.exeC:\Users\Admin\AppData\Local\Temp\264337264.exe5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.surfright.nl/downloads/#x642⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b1a046f8,0x7ff9b1a04708,0x7ff9b1a047183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9942990620979261589,15253634382999299776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD53e99fd1a71d299614606189cbc468fb9
SHA11a720eaeaa3877fd1b2c48e3a990da84757a2c4a
SHA2567a0ddbab8a8ab5b444b9d938eba1190d1d38d9dbfeca81ae82cdd628e38d94ac
SHA5122c130d60dee57d06944cd6e8104c069e7307ab9555ea7f7be68ac7386362ea23e40278a1f464e58b695eeee03845de6d0111606b1214c3bbe34e57c1e100b43a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD59fd31fd65eddcbc3944b21999ea2a8b2
SHA1bad5d66b0891279c3b502f1ed989f2b995da289e
SHA256bd7424f067d6f8f34bec67d58c14e98730378af294ce7b57ff8b67554a76acce
SHA512b94e65ffd3d88b4594803e6990384836ccf88b1ddcb762202ac17a3dbb483d8e6272d5c088e43e9245642e2665a55ca342a02a8bf94e2851c2a718ec1847ad77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a87edb07241f10db6789fb54183ed92a
SHA18c6b447293e1b312a9e81f511ba449840937fd29
SHA256efe80243e9dce37f0c91784e160dbe0d2b38a439fdc2b12d2a66a8600355c387
SHA5129c76ae5abad8b2c49fd2a1e73ca5f7a3f3c1f0563987abce024dd8e448f71c6bf6d1f84a06a27deba8fa814ed0241a77be203d89cfe38a8d186f8003988390df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5dd94c2820bf4452a95c63f0d246b8016
SHA150ca1316abb53440622ef56d960073bfe1b8cb47
SHA256ee3856d4b73da1cdaeaf4e188214a9029c4ce003c2df436936a10091b9bc75b9
SHA51210e6200b2127069ffa4d9daa4fbe572f22f066c19a2c27b3fde71c2c82cac0807530471cb6ca8e9b1562d01b5c24daed0e65ac6d6036bd4fd941f718c351d605
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53fdb95c901ffcc5c23c65641c2e6d8d5
SHA18cb5d6257b26bc692eca9379244e7e58fa998cfe
SHA2563c1ff93dcedd12a3c67e2b7fc6a6855f4bb029eedfec3e2bcb1dff46382f28be
SHA5125e1918dce3870437ed8e436380a7f24f6fbb560bdbf785579fafe422c15fdf74dce32a89d21f88e0888c6ba46a2150f32fc23bb88b9367c396d485d0cd7b9e0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5454511e35efcbaf8c396222e177b36cc
SHA1926f50aceab5c290e073b2ca9de53f8a8d3aa7b8
SHA2568e705b9df87c9cb318f0930ffcf79ad1068cfd952ef4b09f790fdecf9235c8e7
SHA5125164fcde188cc0417f55689c6c9115f047c1a5a3ac3ac792bcddb52b734ebaec2b44e56b9a3c6c860e6eda06955e32e3c64109f645919b32953ccc0b140b61cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD555329e5aac7afc95e99c73066c3a70ea
SHA182c9239ff1136729c36f695f9badbce7f6136f38
SHA256a94137ad282b7b94587069fb34c18bfdf1b743a5a6c2e927f226820035b8a11a
SHA512df2f821251ef3081fc243a4985965762555c5a46b640f1adf15d537157c2dcab311405b02edad84ad1eb370a61e03bb7027525dc80b05ee517451cf91c5b9e6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d07576d22378ac63e7b5b6906038063a
SHA14dfd01f47f356ab5c0d0b66588b4d584321ab416
SHA2563df17dbb47b2e70e01b5f475839f145c7f8605f82da493d480891b8a21a6b5a5
SHA512b282faddac9cdda18f638213ab5edbffe276a8da0a95ac35772be57ddea403e70268005f11bde00182408e76c78c8ad3b473b6ad1f6ef7a28649fb8acc8aedf3
-
C:\Users\Admin\AppData\Local\Temp\154494417.exeFilesize
88KB
MD54505daf4c08fc8e8e1380911e98588aa
SHA1d990eb1b2ccbb71c878944be37923b1ebd17bc72
SHA256a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40
SHA512bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec
-
C:\Users\Admin\AppData\Local\Temp\264337264.exeFilesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
C:\Users\Admin\AppData\Local\Temp\4DE1.exeFilesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
\??\pipe\LOCAL\crashpad_4492_PCUUAKHORLMDYRQZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e