Overview
overview
8Static
static
30day_Cheat_Engine.rar
windows10-2004-x64
8commonmodulelist.txt
windows10-2004-x64
1defines.lua
windows10-2004-x64
3donottrace.txt
windows10-2004-x64
1driver64.dat
windows10-2004-x64
3include/_mingw.h
windows10-2004-x64
3include/assert.h
windows10-2004-x64
3include/celib.h
windows10-2004-x64
3include/conio.h
windows10-2004-x64
3include/ctype.h
windows10-2004-x64
5include/dir.h
windows10-2004-x64
3include/direct.h
windows10-2004-x64
3include/dirent.h
windows10-2004-x64
3languages/...64.pot
windows10-2004-x64
1mrgg.sys
windows10-2004-x64
1mytes0day0-x86_64.exe
windows10-2004-x64
6mytes0day0-x86_64.exe
windows10-2004-x64
6packfiles.bat
windows10-2004-x64
1standalonephase1.exe
windows10-2004-x64
3test1-x86_64.exe
windows10-2004-x64
tiny.exe
windows10-2004-x64
3vmdisk.vbs
windows10-2004-x64
1win32/dbghelp.dll
windows10-2004-x64
3win32/sqlite3.dll
windows10-2004-x64
3win32/symsrv.dll
windows10-2004-x64
3win32/symsrv.yes
windows10-2004-x64
3win64/dbghelp.dll
windows10-2004-x64
1win64/old/dbghelp.dll
windows10-2004-x64
1win64/old/symsrv.dll
windows10-2004-x64
1win64/sqlite3.dll
windows10-2004-x64
1win64/symsrv.dll
windows10-2004-x64
1win64/symsrv.yes
windows10-2004-x64
3Analysis
-
max time kernel
1799s -
max time network
1703s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
0day_Cheat_Engine.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
commonmodulelist.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
defines.lua
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
donottrace.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
driver64.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
include/_mingw.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
include/assert.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
include/celib.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
include/conio.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
include/ctype.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
include/dir.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
include/direct.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
include/dirent.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
languages/mytes0day0-x86_64.pot
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
mrgg.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
mytes0day0-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
mytes0day0-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
packfiles.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
standalonephase1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
test1-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
tiny.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
vmdisk.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
win32/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
win32/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
win32/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
win32/symsrv.yes
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
win64/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
win64/old/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
win64/old/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
win64/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
win64/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
win64/symsrv.yes
Resource
win10v2004-20240802-en
General
-
Target
mytes0day0-x86_64.exe
-
Size
142.0MB
-
MD5
08cb33e525a2253ae59fec269c2f0d9c
-
SHA1
bd7ac817a7bf60214e2aa52c2a018436fab3470e
-
SHA256
a0a6f4578659074b7be51289664a3195006ad1d4282ba0896d210cb91c012bc5
-
SHA512
86166c03f1dc193179676c5cd3541ace56ff1a0700f455153c0769f40cf6cbae65d4e137ee45a0be67eb2d3b11b974668c4dd6200772f2338e20f806c1a00fab
-
SSDEEP
196608:CqUwzcptcpa2B9CmPy6SaqgPqrvPShawfDQHumRAKUuVf0gP:CgzcpwaoRPwPSIAKUuVfH
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 57 IoCs
Processes:
mytes0day0-x86_64.exedescription ioc process File opened for modification C:\Windows\System32\advapi32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\uxtheme.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\imm32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\urlmon.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\win32u.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\gdi32full.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\system32\explorerframe.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\iertutil.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\OneCoreUAPCommonProxyStub.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ucrtbase.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ws2_32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\MSCTF.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\user32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\GDI32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\oleaut32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\combase.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Secur32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\policymanager.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\winmm.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\wintypes.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\shell32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ole32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\comdlg32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\version.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\edputil.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msvcp110_win.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\srvcli.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\netutils.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\KERNEL32.DLL mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\Windows.StateRepositoryPS.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\KERNELBASE.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\shcore.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\SHLWAPI.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\clbcatq.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\OneCoreCommonProxyStub.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\profapi.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\msvcp_win.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\RPCRT4.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\msvcrt.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\psapi.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\SSPICLI.DLL mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\CFGMGR32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\sechost.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\MLANG.dll mytes0day0-x86_64.exe -
Drops file in Windows directory 1 IoCs
Processes:
mytes0day0-x86_64.exedescription ioc process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll mytes0day0-x86_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{8CB1D6A4-90C6-4BCE-835A-7E523FE0850C} msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1732 msedge.exe 1732 msedge.exe 3148 msedge.exe 3148 msedge.exe 2112 msedge.exe 2112 msedge.exe 2544 identity_helper.exe 2544 identity_helper.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe 4632 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
mytes0day0-x86_64.exedescription pid process Token: SeDebugPrivilege 5092 mytes0day0-x86_64.exe Token: SeTcbPrivilege 5092 mytes0day0-x86_64.exe Token: SeTcbPrivilege 5092 mytes0day0-x86_64.exe Token: SeLoadDriverPrivilege 5092 mytes0day0-x86_64.exe Token: SeCreateGlobalPrivilege 5092 mytes0day0-x86_64.exe Token: SeLockMemoryPrivilege 5092 mytes0day0-x86_64.exe Token: 33 5092 mytes0day0-x86_64.exe Token: SeSecurityPrivilege 5092 mytes0day0-x86_64.exe Token: SeTakeOwnershipPrivilege 5092 mytes0day0-x86_64.exe Token: SeManageVolumePrivilege 5092 mytes0day0-x86_64.exe Token: SeBackupPrivilege 5092 mytes0day0-x86_64.exe Token: SeCreatePagefilePrivilege 5092 mytes0day0-x86_64.exe Token: SeShutdownPrivilege 5092 mytes0day0-x86_64.exe Token: SeRestorePrivilege 5092 mytes0day0-x86_64.exe Token: 33 5092 mytes0day0-x86_64.exe Token: SeIncBasePriorityPrivilege 5092 mytes0day0-x86_64.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
mytes0day0-x86_64.exemsedge.exepid process 5092 mytes0day0-x86_64.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe 3148 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mytes0day0-x86_64.exemsedge.exedescription pid process target process PID 5092 wrote to memory of 3148 5092 mytes0day0-x86_64.exe msedge.exe PID 5092 wrote to memory of 3148 5092 mytes0day0-x86_64.exe msedge.exe PID 3148 wrote to memory of 2176 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 2176 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 456 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 1732 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 1732 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 4368 3148 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe"C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/0day2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffbf88e46f8,0x7ffbf88e4708,0x7ffbf88e47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3884 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4024 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD52e98a5d73cb6c1a5dfc8196a994d5aa5
SHA1189b2672a0dfe3ffa0448cc4a3b38bf5fcf1d3b8
SHA25620d590b712c59c3868eecccd7725cd71c0fcc090c0d0bbeb3b60abf7301923e3
SHA5127621ae5383e4e0b411bdad5dcdecc865a078094c7eeca09821869c134207664a83b5bec9c15f71a8ee464a0449c83b186118d7312c396b9e4b1a603c270497e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
323B
MD5a5a1149047729a493b1a2a65063c39ba
SHA18f1f45cb0c0772dcd05795734cbf408636fb9fb9
SHA256e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006
SHA5128ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59f98c5d52c4c13fa093a8465b5d3e9d6
SHA1bd413ec54b570b1dcb986c40ef383969e002ceef
SHA2566ce7b391664a8a4d7d06b93e73c1b71c1a211f018a50626775dc583d80104621
SHA512dacc6855a3fe6f95193843285e5b9598837ca8a4d99ff8b2e3dac02e67acdf70fd7545135ad401eee41347a616f133c473b40ddca94e5bc055d4a8fea5e2448b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD525b083b1fa8893d620f8c67b21f07fa0
SHA1b00585b8e9aa1468431cd1d1f8f05cf4e8664e87
SHA2566b626bb3e93b373dc2736fc19fb89603d0b5cca2ea90cd90ee0395e66a9c2f4e
SHA512f5c5ffbea5f8fe2b5e6fd4732947ab56796aa64efea03e973196e1ae5f127dfb13acfec7cee833c4fe804385741fcf078148592717c854ab8dcfd6c7bf40eea3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5d638f4d54628821602232be2533185b8
SHA1f03bfd4f498cc90ae726266583e2b4805329de4c
SHA256abe177a814e79faf4ea05661cf18200c951de5fa439931108ff6b07f06b39412
SHA512d265b480c8dd18d47244cd3e0ac9b5964c62a4e0b5a3abb97a685f066fe69707c09c6a5db2bf523ac4f6173a47d1c838487f9c6d8d19e4f1cf9bfbb8e869f3a9
-
\??\pipe\LOCAL\crashpad_3148_UEKTIXCURXYLJYXGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5092-32-0x000000000D770000-0x000000000D771000-memory.dmpFilesize
4KB
-
memory/5092-18-0x000000000D710000-0x000000000D711000-memory.dmpFilesize
4KB
-
memory/5092-17-0x000000000D710000-0x000000000D711000-memory.dmpFilesize
4KB
-
memory/5092-20-0x000000000D720000-0x000000000D721000-memory.dmpFilesize
4KB
-
memory/5092-22-0x000000000D730000-0x000000000D731000-memory.dmpFilesize
4KB
-
memory/5092-24-0x000000000D750000-0x000000000D751000-memory.dmpFilesize
4KB
-
memory/5092-26-0x000000000D760000-0x000000000D761000-memory.dmpFilesize
4KB
-
memory/5092-30-0x000000000D760000-0x000000000D761000-memory.dmpFilesize
4KB
-
memory/5092-34-0x000000000D770000-0x000000000D771000-memory.dmpFilesize
4KB
-
memory/5092-36-0x000000000D770000-0x000000000D771000-memory.dmpFilesize
4KB