Overview
overview
8Static
static
30day_Cheat_Engine.rar
windows10-2004-x64
8commonmodulelist.txt
windows10-2004-x64
1defines.lua
windows10-2004-x64
3donottrace.txt
windows10-2004-x64
1driver64.dat
windows10-2004-x64
3include/_mingw.h
windows10-2004-x64
3include/assert.h
windows10-2004-x64
3include/celib.h
windows10-2004-x64
3include/conio.h
windows10-2004-x64
3include/ctype.h
windows10-2004-x64
5include/dir.h
windows10-2004-x64
3include/direct.h
windows10-2004-x64
3include/dirent.h
windows10-2004-x64
3languages/...64.pot
windows10-2004-x64
1mrgg.sys
windows10-2004-x64
1mytes0day0-x86_64.exe
windows10-2004-x64
6mytes0day0-x86_64.exe
windows10-2004-x64
6packfiles.bat
windows10-2004-x64
1standalonephase1.exe
windows10-2004-x64
3test1-x86_64.exe
windows10-2004-x64
tiny.exe
windows10-2004-x64
3vmdisk.vbs
windows10-2004-x64
1win32/dbghelp.dll
windows10-2004-x64
3win32/sqlite3.dll
windows10-2004-x64
3win32/symsrv.dll
windows10-2004-x64
3win32/symsrv.yes
windows10-2004-x64
3win64/dbghelp.dll
windows10-2004-x64
1win64/old/dbghelp.dll
windows10-2004-x64
1win64/old/symsrv.dll
windows10-2004-x64
1win64/sqlite3.dll
windows10-2004-x64
1win64/symsrv.dll
windows10-2004-x64
1win64/symsrv.yes
windows10-2004-x64
3Analysis
-
max time kernel
1799s -
max time network
1702s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
0day_Cheat_Engine.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
commonmodulelist.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
defines.lua
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
donottrace.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
driver64.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
include/_mingw.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
include/assert.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
include/celib.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
include/conio.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
include/ctype.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
include/dir.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
include/direct.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
include/dirent.h
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
languages/mytes0day0-x86_64.pot
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
mrgg.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
mytes0day0-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
mytes0day0-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
packfiles.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
standalonephase1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
test1-x86_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
tiny.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
vmdisk.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
win32/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
win32/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
win32/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
win32/symsrv.yes
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
win64/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
win64/old/dbghelp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
win64/old/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
win64/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
win64/symsrv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
win64/symsrv.yes
Resource
win10v2004-20240802-en
General
-
Target
mytes0day0-x86_64.exe
-
Size
16.2MB
-
MD5
8b2b4f868dc2654750a53c3219c340e1
-
SHA1
5f6675d85b934331e609190e81c733bc974b46ff
-
SHA256
9501b55e5702e70a75471d87204f487c1a3655b9f5c0114d8b3c3be0bb2da22d
-
SHA512
43f2d7499344419a29905516594f7af4b2e5c43e2c50eb70d07637623781c3f6c4d25f8c68bddc049691d1b4d6465eb9321fe7cc77e59e59b091a27799491e41
-
SSDEEP
393216:h3z43TvbXUunE3zxqqi2b1k6TNPa5Lg88:Jdzxqqiqg5Ub
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 57 IoCs
Processes:
mytes0day0-x86_64.exedescription ioc process File opened for modification C:\Windows\SYSTEM32\srvcli.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\MLANG.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\GDI32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\advapi32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\version.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\comdlg32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\urlmon.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\gdi32full.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\Windows.StateRepositoryPS.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\profapi.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\RPCRT4.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\uxtheme.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\MSCTF.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\shell32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\iertutil.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\edputil.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\CFGMGR32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ucrtbase.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\OneCoreUAPCommonProxyStub.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\msvcrt.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\sechost.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\clbcatq.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\OneCoreCommonProxyStub.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\KERNELBASE.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\combase.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\imm32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\system32\explorerframe.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ws2_32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\policymanager.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\user32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\win32u.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\ole32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\shcore.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\netutils.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\KERNEL32.DLL mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Secur32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msvcp110_win.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\wintypes.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\oleaut32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\msvcp_win.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\psapi.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\System32\SHLWAPI.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\winmm.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll mytes0day0-x86_64.exe File opened for modification C:\Windows\SYSTEM32\SSPICLI.DLL mytes0day0-x86_64.exe -
Drops file in Windows directory 1 IoCs
Processes:
mytes0day0-x86_64.exedescription ioc process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll mytes0day0-x86_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{4892882F-070F-4F42-9298-4D157C89045C} msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3992 msedge.exe 3992 msedge.exe 4256 msedge.exe 4256 msedge.exe 4756 msedge.exe 4756 msedge.exe 4592 identity_helper.exe 4592 identity_helper.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
mytes0day0-x86_64.exedescription pid process Token: SeDebugPrivilege 4504 mytes0day0-x86_64.exe Token: SeTcbPrivilege 4504 mytes0day0-x86_64.exe Token: SeTcbPrivilege 4504 mytes0day0-x86_64.exe Token: SeLoadDriverPrivilege 4504 mytes0day0-x86_64.exe Token: SeCreateGlobalPrivilege 4504 mytes0day0-x86_64.exe Token: SeLockMemoryPrivilege 4504 mytes0day0-x86_64.exe Token: 33 4504 mytes0day0-x86_64.exe Token: SeSecurityPrivilege 4504 mytes0day0-x86_64.exe Token: SeTakeOwnershipPrivilege 4504 mytes0day0-x86_64.exe Token: SeManageVolumePrivilege 4504 mytes0day0-x86_64.exe Token: SeBackupPrivilege 4504 mytes0day0-x86_64.exe Token: SeCreatePagefilePrivilege 4504 mytes0day0-x86_64.exe Token: SeShutdownPrivilege 4504 mytes0day0-x86_64.exe Token: SeRestorePrivilege 4504 mytes0day0-x86_64.exe Token: 33 4504 mytes0day0-x86_64.exe Token: SeIncBasePriorityPrivilege 4504 mytes0day0-x86_64.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
mytes0day0-x86_64.exemsedge.exepid process 4504 mytes0day0-x86_64.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe 4256 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mytes0day0-x86_64.exemsedge.exedescription pid process target process PID 4504 wrote to memory of 4256 4504 mytes0day0-x86_64.exe msedge.exe PID 4504 wrote to memory of 4256 4504 mytes0day0-x86_64.exe msedge.exe PID 4256 wrote to memory of 3636 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3636 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3024 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3992 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 3992 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe PID 4256 wrote to memory of 2416 4256 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe"C:\Users\Admin\AppData\Local\Temp\mytes0day0-x86_64.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/0day2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42446f8,0x7ffbd4244708,0x7ffbd42447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4204 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4448 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3640308814016563431,8705925832545112536,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3744 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD54a445279b94637e6233ffb1d0156c480
SHA1ef11f294b4f71b7d368708feffb7becbb2b712c2
SHA2561c01522c8263e633aff3d02c63b57ff83e6eeebf3516ed0fc81066a7e5380293
SHA5126cc52bc2ff70bab9f3597e108de127c626379bd6ad04dd52b9e9c7afb009f99517ca0ee9445eef0a36ca8aaaa5262b44446c04760eb0b601815becae9c1ddf9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
323B
MD5a5a1149047729a493b1a2a65063c39ba
SHA18f1f45cb0c0772dcd05795734cbf408636fb9fb9
SHA256e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006
SHA5128ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ef2770d68d21937452a0fb643cf28558
SHA1c54f8642827376135772e61e6225fb46756617d2
SHA25685720d9f466e5c556a4354f719e5d7c4a2292284e09e727f1d7ba73223301777
SHA512b65d42b48acf9ee69a0881908e8ad3c980df54f0b3130a0a2aa8055c0a611d05a6a27993ab1eaff2be48287901b423523710f36cae6dbd0120e19ea74113ec59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5313d467b9c1832421f77865b92f4f81c
SHA1f69762391c659bb7660ae0535957141d51324155
SHA2560d8e4ed10bc283b7d422dff20f33c55c98d5c3f2bf1198334e11e9d394cc42f8
SHA512d53c81ca867f68f6076a043e5d66f77491f14712f8f7c54ea9494aa15b032da7a055efa8299ab8dd28fe94991977a8c351da5458c9d2e333550e38622ec0aa5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5601981df2c1cb300eda850076195e6f7
SHA1e930a009db1c705e5f90fc4a5f26511b55c78f41
SHA25602521cf13ce595e6c3ed16e051455697f5d126e209b758dfd4bd5208645f4442
SHA512b242e35e5249d77e354d507ca75c3f5adeaaa4a95123d70013878c958e004f2c584f5c80cfd5edd6f8d2f19372a4c163b13ed3eeb2b8232da2145aac640821b9
-
\??\pipe\LOCAL\crashpad_4256_RQQBZDWLTNQJQAQLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4504-25-0x000000000E770000-0x000000000E771000-memory.dmpFilesize
4KB
-
memory/4504-33-0x000000000E780000-0x000000000E781000-memory.dmpFilesize
4KB
-
memory/4504-31-0x000000000E780000-0x000000000E781000-memory.dmpFilesize
4KB
-
memory/4504-35-0x000000000E780000-0x000000000E781000-memory.dmpFilesize
4KB
-
memory/4504-16-0x000000000E720000-0x000000000E721000-memory.dmpFilesize
4KB
-
memory/4504-18-0x000000000E730000-0x000000000E731000-memory.dmpFilesize
4KB
-
memory/4504-20-0x000000000E740000-0x000000000E741000-memory.dmpFilesize
4KB
-
memory/4504-23-0x000000000E760000-0x000000000E761000-memory.dmpFilesize
4KB
-
memory/4504-29-0x000000000E770000-0x000000000E771000-memory.dmpFilesize
4KB
-
memory/4504-15-0x000000000E720000-0x000000000E721000-memory.dmpFilesize
4KB