Resubmissions
03/12/2024, 21:44
241203-1lfvba1ncp 619/10/2024, 22:38
241019-2kv4aavgnm 319/08/2024, 01:19
240819-bpr93szapm 319/08/2024, 00:51
240819-a7mlwavcqg 1019/08/2024, 00:48
240819-a5824avcka 619/08/2024, 00:44
240819-a3nndavara 1019/08/2024, 00:41
240819-a12gfsvaja 719/08/2024, 00:39
240819-azr7dsthlh 819/08/2024, 00:02
240819-abjkcasema 619/08/2024, 00:00
240819-aas3dswaqk 1Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/08/2024, 00:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win11-20240802-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1732 x2s443bc.cs1.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 27 camo.githubusercontent.com 37 raw.githubusercontent.com 27 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2s443bc.cs1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2s443bc.cs1.tmp -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 4952 msedge.exe 4952 msedge.exe 3360 msedge.exe 3360 msedge.exe 1880 msedge.exe 1880 msedge.exe 5016 identity_helper.exe 5016 identity_helper.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 672 taskmgr.exe Token: SeSystemProfilePrivilege 672 taskmgr.exe Token: SeCreateGlobalPrivilege 672 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 3360 msedge.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe 672 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3360 wrote to memory of 2752 3360 msedge.exe 81 PID 3360 wrote to memory of 2752 3360 msedge.exe 81 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4128 3360 msedge.exe 82 PID 3360 wrote to memory of 4952 3360 msedge.exe 83 PID 3360 wrote to memory of 4952 3360 msedge.exe 83 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84 PID 3360 wrote to memory of 5080 3360 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb5b43cb8,0x7ffbb5b43cc8,0x7ffbb5b43cd82⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:82⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4916 /prefetch:82⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5048 /prefetch:22⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,15893155626583060524,624390846988511376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:3836
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2824
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2828
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Downloadly.zip\x2s443bc.cs1.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Downloadly.zip\x2s443bc.cs1.exe"1⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Users\Admin\AppData\Local\Temp\is-S8DJV.tmp\x2s443bc.cs1.tmp"C:\Users\Admin\AppData\Local\Temp\is-S8DJV.tmp\x2s443bc.cs1.tmp" /SL5="$F0290,15784509,779776,C:\Users\Admin\AppData\Local\Temp\Temp1_Downloadly.zip\x2s443bc.cs1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://joinmassive.com/privacy3⤵PID:3068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbb5b43cb8,0x7ffbb5b43cc8,0x7ffbb5b43cd84⤵PID:1200
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://joinmassive.com/faq3⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbb5b43cb8,0x7ffbb5b43cc8,0x7ffbb5b43cd84⤵PID:3480
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52ee16858e751901224340cabb25e5704
SHA124e0d2d301f282fb8e492e9df0b36603b28477b2
SHA256e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c
SHA512bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba
-
Filesize
152B
MD5ea667b2dedf919487c556b97119cf88a
SHA10ee7b1da90be47cc31406f4dba755fd083a29762
SHA2569e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f
SHA512832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72
-
Filesize
37KB
MD548f925eefce06701a10bb34743596ef6
SHA13271af5587fb44878f2355cb99cc2a5a915706fd
SHA25685712a77e89fff00123155170da85c01b812e5b68de05a05f59c71fcba597a17
SHA51276993db32748cf3f3295318b153ab6fd85d18a624f5b75d85d2e8c7b39f5d19003cb10c659173dee6a87aec02ce30f3f3219ca9bfae0996e37db64fd6b446d6e
-
Filesize
37KB
MD5a2ade5db01e80467e87b512193e46838
SHA140b35ee60d5d0388a097f53a1d39261e4e94616d
SHA256154a7cfc19fb8827601d1f8eda3788b74e2018c96779884b13da73f6b1853a15
SHA5121c728558e68ed5c0a7d19d8f264ad3e3c83b173b3e3cd5f53f5f3b216ed243a16944dbe6b2159cfe40ee4a3813ca95a834f162073a296b72bbdedc15546be8f8
-
Filesize
21KB
MD57715176f600ed5d40eaa0ca90f7c5cd7
SHA100fdb1d5b1421ea03d2d33542a4eaf7ac543d3d0
SHA256154632629a0698587e95c608e6ed5f232e2ba1a33d7c07fea862a25293a9926e
SHA512799cfee1969b6137813c98b83b90052c04527b273156f577841b64828c07c4e6a3913a6ddd49ae5021ed54a367ddbc5ab2193226960b0ffe9a618c663c8d8a1c
-
Filesize
23KB
MD5bc715e42e60059c3ea36cd32bfb6ebc9
SHA1b8961b23c29b9769100116ba0da44f13a24a3dd4
SHA256110ccd760150c6ac29c987ee2b8f7c56772036f6fe74ff2fb56c094849912745
SHA5125c0edd336a6d892f0163aa183e5482313dd86f9f5b2d624b3c4529692d70720f4823808f10ee7870fd9368b24de752b343570419fd244c33ad2d9cc86007bedc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD53e78ec9d26e3b8bc879c7a592fb5aec8
SHA1c0f02fdcbf3b45998baaaf39a37c39e115fac1f2
SHA2566558ab8391ef9f5c17378f95a83064a9c02d0ae506d5abd0fa609d2d38f45b74
SHA5127be34ee9ec6fa67a48cb964b4491712d6a4ea5a5707d6c0e8bf827bfcc51f111257cf9e9b3ee4a0f25397871767a0f44457ffe996d3f9896e68833ec02d62731
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5d66d12b479b70db180d2380763aa297d
SHA1de5bd6a4c5fcecdbbc4e9e417c37eb4c326df12b
SHA256ee0188eb20ebaaf096269894b676e2383c77386122514b6f92ad268bd5b46ee5
SHA512cf6b64b1fbd38f0023b05dcea7a463f3af5dd0a3b6eb55f1fe115da41a41c12f1c3bd63a2c3aa3ba84cb65c0c25facd23154e3ddd3f9f13fb8108969de876566
-
Filesize
579B
MD5be85a012866f82533b134a3e7c03581c
SHA18f361377763dc0f643a3c2746149ca5850c5d8c0
SHA2567c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0
SHA51238aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621
-
Filesize
5KB
MD5190e69dd0a1c1c0ce8d9c534f842f7ac
SHA121d3c9ba52880474081508ca2ba30ce175edcddd
SHA256ee1cdbccfea64c983166105ef096aeb16f3a50940b842a5862cb2b28ce43359f
SHA512a8273b236f2c8eafdd6fc85e10c780d4667b3753abc9e379adf3137835b38d470567aa4245b82a2e1b3ba41435145cca6b7a9a9f1daa6af3297e8b4c3d96307f
-
Filesize
6KB
MD5314f75cb8a515815f85ea01850bf58e1
SHA18d918072dbf224d9e8011a88ac9c53d53ed6675c
SHA2568dab71117b14184b3ebf031ae3989e7ec188cb0e2f9e50ba8694f17012b62a1a
SHA512542047abf11dd840e165b828394c440207b6a2a7f138bafde209561d61bf51c6a04d8c1c0c4bff687da9326345d44258f49e02923bfd5d21f1c3ae0fc425fe11
-
Filesize
6KB
MD56fdb225f43bedfb177e3d9488a84d9d5
SHA129bc9e7eae0c1d6f61b0d8c4472ada3730d65765
SHA2561f0720f27ac6673ff6317908712cb643420cc3b4a1716b7116d1627896137ebb
SHA512ff047b980609f55980d5f363cfc424e5af52342fb3d753cf76a44602e0678683c07d5379825006a0a3b2868081abc8155ae8210d46bf334728eedce12087b561
-
Filesize
6KB
MD530a1f27f33342d4d60f6b3fdbcf02708
SHA16667985d3c5f578b9c38fb132f8b818953d33e86
SHA256c3e446d108df5070ccc47b910cd50a7dabc4788d5d5530177c9178aee01d02e0
SHA512a86d558cf294fcf67a8e90a29b5dbaef15bbbc7d706f9b7e0c9408d3297f5eb305a183602fa986abf2383d5980e6a1965cf9f7d62902c6b8a725b98c84af6e50
-
Filesize
1KB
MD5969349b9c41cc3180a18aedbcbc03702
SHA18cf148cc4f07c73dc863b630a29e02b4a17cefed
SHA256e28f722ad34197d0ab4a4e65fe591d26d188ef3ccb74a4a8c660e811fa381ff7
SHA51251374147c5a9410a6e15eaa66c41a05cca6351ca3d46772feb12f11f9375d24041d149936206925904a4ccc5c8f01046f1c4ba8d30eb78c4cf7cac2d2665564d
-
Filesize
1KB
MD52deef8fc7ff974b561004ffc166dab5f
SHA1a0fe3832f629b46f3779c7a72c3bfb4bc2eb709c
SHA2568394fa0105711ac370233e2ef1335dcde1dc1591a13da0b61a329dd61b337643
SHA5128c6807ef5b5c92692998a7819b73ef35742cc573cea506f79b318f34ec5613ace9980d5b9a451913ecd3554a7de290f2dd916cc82c4f3873a4dabf4082f6880d
-
Filesize
1KB
MD5c2a027f86143053aa9cd82bbd364fb55
SHA1f2a63046e164c926d938480c167b2df62cd3d8b0
SHA256ff95d5fd49610fc956f54e5efb46b849d8df3cfd9c5be6bca68daaee3b6cde09
SHA5127060d765f9479e2b1b8c63068abef1e108afbe14384a1444a6c6ff08a9b6005423b990c27689ceb41b3cadd94e99644c2121d50377ea0dafcfae6cf87ce90b92
-
Filesize
1KB
MD5404740e1991bf22a7425457509f4de64
SHA124550fce7473f58f33840021a5132d86b0e5a89a
SHA256ce2c883517c5e8585a903be269eb7db544d05d841c0575ee17261c0a0274972a
SHA512a3e7951ef08045afbb377680a74f2c66b9f4f378ce0bf05514ca8fffca9536b14ab7bad10f0c3011ce8a06eb6a88a3b57cbb1a974af165da6575ce5308e30d22
-
Filesize
1KB
MD54565a83a9f8f7be5d32fcdec6a37c3c6
SHA1e2ef42a98f73dc1eae6f3ac65aaaa5d0ca1388ab
SHA256db3e28572b5c11b258bbce25963f59f0d6b14f56a41996a41b014ba0268973ac
SHA5120ce87ee6d56cf571f21c28c1c35ec337ad28220bbe93174180d35faea0e58c6919d819fb10d55aafc6460e30d9b1c24abc002d0cd5041cb10ef70675c319c761
-
Filesize
1KB
MD59543699a643b477ee8d314f57d922fb3
SHA1af580438c1482c57b99a529fb959c24033b3b897
SHA256eb8895e3dfce97a6fff0d4a26661b802d1f2c2f745b0738ddcd3d777823b1b21
SHA51205714f63ba0bd6870605aa45a28b694ad0d05b5983fcbae1e4f1d541b9ebabdfb5a98fcdf5ae275270a87a6ddfd06126d50a5ff3a1429174a2265081284e7f2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\15f68fa6-49cf-4729-86e9-fdd62ac6b153\2
Filesize10.4MB
MD5a738400113275586174d8921f37fd510
SHA1401522bb246062d7312639a3f74edbfed724e548
SHA256cfe0fa13a6e81532a93f3a452efc99e54ff7cead0cf33a5a942831be06723b57
SHA5129e775f8407a43382bfec1d4c101b789417c21b550751f78535b96f405da68c56b136538df90032d6adf7d39ea91573519b6c9c2f984237867ee726ce58a40550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5187407eb0307280fd48ffac947e35218
SHA101c5fc361bd15597a48dad4097116f0aa63494c0
SHA2562adadb42c28bbd622746be889e0601919cf5d563470affb51d0e6a44b02f08a3
SHA512f3887d205788601be7d9e95c39501eb56cd2030b5198016439ee717a6732230396ea1715429ab1b79b65d7a7607361dccee62ef1ab2acac667c0b32819704d42
-
Filesize
11KB
MD5d7b9824e02b7704bcae01768c82a92c9
SHA1ab92293504e3b7ee2b14e950b2cae9e6ec0599ee
SHA256ab00a95fdb977406536efa8632975059f9774e594958755340ac279480ce2321
SHA512f6ade196cd771bec93cc3fc8edd10de61367bd824f7a414bcc2e0de03768e53f15f54c935263817ddbb1cd65daba87e73b63b0af9794fe3e0cb5546064f63cd1
-
Filesize
11KB
MD5f2b2e3e9556a5e9cb9c7fbd55a17324d
SHA18d29b2eb2ce057b0fd45d16890c128c8b1d0a765
SHA25651ec2128f51522a3533b9b211df5eea3422ca86a066573d2f6d561ee8e178ec6
SHA5122e4e453cbd918cfde92de7cd156dbd7930c0292c1fa0082dce150752c9bea728819b288482b229e2674303fc54ab7c4eb752322688e993b4af874caecc3e856f
-
Filesize
11KB
MD58390874603caf376e11166abb0e779d8
SHA1e07c09b53d0692a86ff2df8d1a24ab89230753aa
SHA256971acda66f3e494f2e5b82c19833f6d2aebf224b11254542526943e99827900a
SHA51242361fa9800d89d7178c6c5ec0a34d34bdc6daf9f288e6e0040fc5716a05183ea93179332a104867ecb3a6b84809c384dabf0343c0b14e9fe3f6298817b184de
-
Filesize
11KB
MD543cbd7c0888035eb61a14e3b8d2c7ccf
SHA19bef83948cc7e69618773156f1cf23d1ed422ebe
SHA256ae467b3213e5185ad994b8885dfce5a58e3b39a74653ef5b3b7ebfd4b5a37274
SHA5126d30ac8e487d1831dd69d579a2a218625dc71dd24236dafcf1bc4a709e863c5dae96b31729484ffaa62b780cb8b32ceb0b9d04491d6cff6fcf645c3131cdbb85
-
Filesize
11KB
MD50546a99e2cefbed18f4a5ac8341372ce
SHA137a56eeb02dadb6360f1dd1e6022cf067458f038
SHA2567068ec222f275f23c9073a4855f843eea4e80ae2f5cc2cd80ea204ff91a670d4
SHA512b46fb6af9e614a2d69930942bd8d91d3f85288f6f7f6a5569a167df1ff58b218df5a7c495e3c5e78bd1e87f7b2a2f9a17a5119c97983ca22587f0f7790ec7811
-
Filesize
3.0MB
MD50d5dc73779288fd019d9102766b0c7de
SHA1d9f6ea89d4ba4119e92f892541719c8b5108f75f
SHA2560a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289
SHA512b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61
-
Filesize
15.4MB
MD5fa4f62062e0cec23b5c1d8fe67f4be2f
SHA10735531f6e37a9807a1951d0d03b066b3949484b
SHA256a88edca3b030046fe82e7add6da06311229c5c4f9396c30c04ab3f0b433eac6e
SHA5120ffd333dc84ab8e4905fb76b3be69c7b9edba7f4eb72cc10efc82f6ae62d06c36227f4e8ada4f896e359e5ffc664d08caf76e15a40bd17e9384e73842e845995