87e875dbcb220c06eeef00fba2f38304cb3028641df26d1799c6b8534ec1ce1e

Analysis

max time kernel
72s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ChessBotX Trial/ChessBot.exe
Size

14.9MB
MD5

d777f5ecef75f5e4d3568d438d68401e
SHA1

62ff0fd1448805631d8d52f6806e000a9355fbb8
SHA256

30ce2ad402a3bdc311259d7af3b097c8c2eb6f15c4f76d4b5cbc71ca564cd4fa
SHA512

2b31aa087e60d57a5755d500f82cccb63fbd1daee6b344c19ba241214d49d263ab34ecd262bdff5e062cc821a6b0cd4ebb00c32dce66452fb6cca2d4a00ac993
SSDEEP

393216:+Dma17FSQM1DycoyhU2TbH4dGUKzQlUavKaOr:4jSQPzCxbEGfzivpOr

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3280	ChessBot.exe
3280	ChessBot.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChessBot.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{7F70C599-D1A0-4DC8-83F6-C98D69CFE86F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3280	ChessBot.exe
3280	ChessBot.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
3460	msedge.exe
3460	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
5252	msedge.exe
5252	msedge.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
5644	identity_helper.exe
5644	identity_helper.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	taskmgr.exe
Token: SeSystemProfilePrivilege	2412	taskmgr.exe
Token: SeCreateGlobalPrivilege	2412	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe
3280	ChessBot.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3280	ChessBot.exe
3280	ChessBot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4384	8	msedge.exe	108
PID 8 wrote to memory of 4384	8	msedge.exe	108
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 4136	8	msedge.exe	109
PID 8 wrote to memory of 3460	8	msedge.exe	110
PID 8 wrote to memory of 3460	8	msedge.exe	110
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111
PID 8 wrote to memory of 3924	8	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\ChessBotX Trial\ChessBot.exe
"C:\Users\Admin\AppData\Local\Temp\ChessBotX Trial\ChessBot.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=h920ln.exe h920ln.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe85e946f8,0x7ffe85e94708,0x7ffe85e94718
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14661821923674389448,10096638216732262204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
067b94b6607a26024d16281198418086

SHA1
96b23fa3b1dcd097003fe62ef23388d3dfa9697d

SHA256
0379bc67dcb6045f73e50f45dd137b06b571b76f90f10eaec30630f76c7c6445

SHA512
54e6b968d73aea5cc1d898e6e7d70beb9143c42ac0bf61df34aa08a5563bb22690c7ba69f7981a1725e5cac3786d94266bae36843f3c45dfc49d939f642ad197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
416c52af277e60bea77d3d1a900fb50b

SHA1
2a076730afb2ef013d731e8090355e89bd9f6a08

SHA256
3abd8d7da2ceac0c204faf5654976a8ffdc047892d5bb144748aaa1c6ca3f066

SHA512
c9fc4920619f20bd604b084a0668d207eec54dccd02f6697510e833fdb9d030c98c5268e31b18df8450a5373c88ddc1379d1d652924b802eb09c31e53cfb4ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70ab7d0682789cac77c53ffcb2a04198

SHA1
ae551c0e68c24f1ac7540e2abe64aa2beed7f171

SHA256
e488bd2fcf000a6cbc4b53e599c5616ace05011af5dc974f38797215116bcc30

SHA512
7468e17f5327df15f74aeeb253240ff638bb15bab2c00d592347590cb924945790163c7a1c59c2a0c5753c7d36eaa540addf0ff36adf3761bacb8a956991d04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74ba4bb85aa54d15c0e764f533387bf1

SHA1
402ea120ef02c6967c7ecbf530bcad046b75a352

SHA256
0a6afcbca54260ada7f4e43183efcae49541f23cf62a3677825a708a5ffac715

SHA512
1a8f972a92ee798e3bb6fc74e8addaf36cf6b2b1d34c09e85972787b8dddd8a666138a4f3c2e3d378ed661e0575f9cab875a9a97da4267111526bc30ee3c73d9

Download Submit
memory/2412-17-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-8-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-19-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-18-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-7-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-16-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-14-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-13-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/2412-9-0x00000218F0720000-0x00000218F0721000-memory.dmp

Filesize
4KB

Download
memory/3280-0-0x00000000008A9000-0x0000000000F05000-memory.dmp

Filesize
6.4MB

Download
memory/3280-6-0x0000000000400000-0x000000000148E000-memory.dmp

Filesize
16.6MB

Download
memory/3280-5-0x00000000008A9000-0x0000000000F05000-memory.dmp

Filesize
6.4MB

Download
memory/3280-4-0x0000000000400000-0x000000000148E000-memory.dmp

Filesize
16.6MB

Download
memory/3280-3-0x0000000000400000-0x000000000148E000-memory.dmp

Filesize
16.6MB

Download
memory/3280-2-0x0000000000400000-0x000000000148E000-memory.dmp

Filesize
16.6MB

Download
memory/3280-1-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download