b9cdc60586f0ba16468d7a4a62a30d4c745d283919ecc94b7a08eaa560def688

Analysis

max time kernel
1799s
max time network
1703s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mytes0day0-x86_64.exe
Size

142.0MB
MD5

08cb33e525a2253ae59fec269c2f0d9c
SHA1

bd7ac817a7bf60214e2aa52c2a018436fab3470e
SHA256

a0a6f4578659074b7be51289664a3195006ad1d4282ba0896d210cb91c012bc5
SHA512

86166c03f1dc193179676c5cd3541ace56ff1a0700f455153c0769f40cf6cbae65d4e137ee45a0be67eb2d3b11b974668c4dd6200772f2338e20f806c1a00fab
SSDEEP

196608:CqUwzcptcpa2B9CmPy6SaqgPqrvPShawfDQHumRAKUuVf0gP:CgzcpwaoRPwPSIAKUuVfH

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 discord.com
13 discord.com

flow	ioc
14	discord.com
13	discord.com

Drops file in System32 directory 57 IoCs

Processes:

mytes0day0-x86_64.exe

description	ioc	process
File opened for modification	C:\Windows\System32\advapi32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\imm32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\urlmon.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\win32u.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\iertutil.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\OneCoreUAPCommonProxyStub.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\user32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\GDI32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\combase.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\Secur32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\policymanager.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\wintypes.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\shell32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\ole32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\edputil.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\msvcp110_win.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\srvcli.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\netutils.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\Windows.StateRepositoryPS.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\shcore.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\OneCoreCommonProxyStub.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\profapi.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\psapi.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\SSPICLI.DLL	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\CFGMGR32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\System32\sechost.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	mytes0day0-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\MLANG.dll	mytes0day0-x86_64.exe

Drops file in Windows directory 1 IoCs

Processes:

mytes0day0-x86_64.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	mytes0day0-x86_64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{8CB1D6A4-90C6-4BCE-835A-7E523FE0850C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1732	msedge.exe
1732	msedge.exe
3148	msedge.exe
3148	msedge.exe
2112	msedge.exe
2112	msedge.exe
2544	identity_helper.exe
2544	identity_helper.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3148 msedge.exe
3148 msedge.exe
3148 msedge.exe
3148 msedge.exe
3148 msedge.exe
3148 msedge.exe
3148 msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

mytes0day0-x86_64.exe

description	pid	process
Token: SeDebugPrivilege	5092	mytes0day0-x86_64.exe
Token: SeTcbPrivilege	5092	mytes0day0-x86_64.exe
Token: SeTcbPrivilege	5092	mytes0day0-x86_64.exe
Token: SeLoadDriverPrivilege	5092	mytes0day0-x86_64.exe
Token: SeCreateGlobalPrivilege	5092	mytes0day0-x86_64.exe
Token: SeLockMemoryPrivilege	5092	mytes0day0-x86_64.exe
Token: 33	5092	mytes0day0-x86_64.exe
Token: SeSecurityPrivilege	5092	mytes0day0-x86_64.exe
Token: SeTakeOwnershipPrivilege	5092	mytes0day0-x86_64.exe
Token: SeManageVolumePrivilege	5092	mytes0day0-x86_64.exe
Token: SeBackupPrivilege	5092	mytes0day0-x86_64.exe
Token: SeCreatePagefilePrivilege	5092	mytes0day0-x86_64.exe
Token: SeShutdownPrivilege	5092	mytes0day0-x86_64.exe
Token: SeRestorePrivilege	5092	mytes0day0-x86_64.exe
Token: 33	5092	mytes0day0-x86_64.exe
Token: SeIncBasePriorityPrivilege	5092	mytes0day0-x86_64.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

mytes0day0-x86_64.exemsedge.exe

pid	process
5092	mytes0day0-x86_64.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mytes0day0-x86_64.exemsedge.exe

description	pid	process	target process
PID 5092 wrote to memory of 3148	5092	mytes0day0-x86_64.exe	msedge.exe
PID 5092 wrote to memory of 3148	5092	mytes0day0-x86_64.exe	msedge.exe
PID 3148 wrote to memory of 2176	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 2176	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 456	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 1732	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 1732	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe
PID 3148 wrote to memory of 4368	3148	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/0day
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffbf88e46f8,0x7ffbf88e4708,0x7ffbf88e4718
3⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
3⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
3⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
3⤵
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3884 /prefetch:8
3⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4024 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
3⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
3⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
3⤵
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
3⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
3⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6423832947691210367,8181344325902081851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
2e98a5d73cb6c1a5dfc8196a994d5aa5

SHA1
189b2672a0dfe3ffa0448cc4a3b38bf5fcf1d3b8

SHA256
20d590b712c59c3868eecccd7725cd71c0fcc090c0d0bbeb3b60abf7301923e3

SHA512
7621ae5383e4e0b411bdad5dcdecc865a078094c7eeca09821869c134207664a83b5bec9c15f71a8ee464a0449c83b186118d7312c396b9e4b1a603c270497e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
323B

MD5
a5a1149047729a493b1a2a65063c39ba

SHA1
8f1f45cb0c0772dcd05795734cbf408636fb9fb9

SHA256
e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006

SHA512
8ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9f98c5d52c4c13fa093a8465b5d3e9d6

SHA1
bd413ec54b570b1dcb986c40ef383969e002ceef

SHA256
6ce7b391664a8a4d7d06b93e73c1b71c1a211f018a50626775dc583d80104621

SHA512
dacc6855a3fe6f95193843285e5b9598837ca8a4d99ff8b2e3dac02e67acdf70fd7545135ad401eee41347a616f133c473b40ddca94e5bc055d4a8fea5e2448b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
25b083b1fa8893d620f8c67b21f07fa0

SHA1
b00585b8e9aa1468431cd1d1f8f05cf4e8664e87

SHA256
6b626bb3e93b373dc2736fc19fb89603d0b5cca2ea90cd90ee0395e66a9c2f4e

SHA512
f5c5ffbea5f8fe2b5e6fd4732947ab56796aa64efea03e973196e1ae5f127dfb13acfec7cee833c4fe804385741fcf078148592717c854ab8dcfd6c7bf40eea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
d638f4d54628821602232be2533185b8

SHA1
f03bfd4f498cc90ae726266583e2b4805329de4c

SHA256
abe177a814e79faf4ea05661cf18200c951de5fa439931108ff6b07f06b39412

SHA512
d265b480c8dd18d47244cd3e0ac9b5964c62a4e0b5a3abb97a685f066fe69707c09c6a5db2bf523ac4f6173a47d1c838487f9c6d8d19e4f1cf9bfbb8e869f3a9

Download Submit
\??\pipe\LOCAL\crashpad_3148_UEKTIXCURXYLJYXG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5092-32-0x000000000D770000-0x000000000D771000-memory.dmp

Filesize
4KB

Download
memory/5092-18-0x000000000D710000-0x000000000D711000-memory.dmp

Filesize
4KB

Download
memory/5092-17-0x000000000D710000-0x000000000D711000-memory.dmp

Filesize
4KB

Download
memory/5092-20-0x000000000D720000-0x000000000D721000-memory.dmp

Filesize
4KB

Download
memory/5092-22-0x000000000D730000-0x000000000D731000-memory.dmp

Filesize
4KB

Download
memory/5092-24-0x000000000D750000-0x000000000D751000-memory.dmp

Filesize
4KB

Download
memory/5092-26-0x000000000D760000-0x000000000D761000-memory.dmp

Filesize
4KB

Download
memory/5092-30-0x000000000D760000-0x000000000D761000-memory.dmp

Filesize
4KB

Download
memory/5092-34-0x000000000D770000-0x000000000D771000-memory.dmp

Filesize
4KB

Download
memory/5092-36-0x000000000D770000-0x000000000D771000-memory.dmp

Filesize
4KB

Download