Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 19:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://fbi.pet
Resource
win10v2004-20240802-en
General
-
Target
http://fbi.pet
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 65 discord.com 77 discord.com 79 discord.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{4055B862-BAB2-48E7-A066-58BDFB7563C8} msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3324 msedge.exe 3324 msedge.exe 2740 msedge.exe 2740 msedge.exe 3552 identity_helper.exe 3552 identity_helper.exe 800 msedge.exe 800 msedge.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 5052 msedge.exe 5052 msedge.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: 33 3140 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3140 AUDIODG.EXE Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: 33 1416 msedge.exe Token: SeIncBasePriorityPrivilege 1416 msedge.exe Token: SeDebugPrivilege 6128 taskmgr.exe Token: SeSystemProfilePrivilege 6128 taskmgr.exe Token: SeCreateGlobalPrivilege 6128 taskmgr.exe Token: 33 6128 taskmgr.exe Token: SeIncBasePriorityPrivilege 6128 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 2740 msedge.exe 6128 taskmgr.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 6128 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe 6128 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 448 CredentialUIBroker.exe 5828 CredentialUIBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4224 2740 msedge.exe 83 PID 2740 wrote to memory of 4224 2740 msedge.exe 83 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 4724 2740 msedge.exe 84 PID 2740 wrote to memory of 3324 2740 msedge.exe 85 PID 2740 wrote to memory of 3324 2740 msedge.exe 85 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86 PID 2740 wrote to memory of 4836 2740 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fbi.pet1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f3646f8,0x7ff80f364708,0x7ff80f3647182⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6268 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:12⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:12⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:12⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6564 /prefetch:82⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6712 /prefetch:82⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:22⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,17172474313608325504,14411950843196882730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6876 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2320
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x31c 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Windows\System32\CredentialUIBroker.exe"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:448
-
C:\Windows\System32\CredentialUIBroker.exe"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5828
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6128
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD57842461c43517c19209fa688ead1f428
SHA1bd62df84126955bf6745e1d0c5ac24424df6df73
SHA2567415243d4e614412882746db7e23ed69fb751f895961a3ddc1d14162ac4ac9cb
SHA51227b8c1e8dea5bfbb3a8b9c40bd18d1760bc42f91cce2dd2274d6982ae5bb875464ccef206505253e445dac43c7f5cebc858a465aafd3c266ed341f550c2c9818
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5cd33adf87e6e9feafaec634f04f1d85f
SHA1c15ac57b3b87bec0245c116bd030ee10272e2d73
SHA256b82782c52def2ca9861dfeb4294a99fad9667367c5e16438bd37301ebee06e49
SHA5122b248b8fe3cf51ee881becbf1297aaf521c07ab6d8dc4c651e7e309c616aafe8b95c438ef966dd1871d5bc3ced5dc4fabb03bf97ac4960cd5dd7608f583afe57
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
102KB
MD5065498a42b4a224644d95bb49a82a7dd
SHA124f726da53ad7ea4ff18eeb4796699b5824e821d
SHA256b5a21782cc7fde263619e7872da5ed33182ee9e923d0a2c3bbfbfec99ff69dfc
SHA512f8c0dd555f0de06b5d8aa9363f8eb765a3769b96164370bd518a488a9a148e66b2afd4ff1507f02014f9cfcb623850994ce04c351f65a013bb6b8c43594afee5
-
Filesize
479KB
MD50a15c7c16b09ffecc7cff0fad7858aa2
SHA15733d2275016a321e21f544d968d5d21a7870435
SHA256b3dc87e3eded6cbef776fac571d268cadd8ffaa3f17881ddd469868bd797ee94
SHA5120fd15d0c6ff85247f9d3afeb801aa10e0173e3ec7e4a4ce8b01d072424855f712868593baa707c06b8842d67ef0ee5511cace05a67a84c9b98f928f66d2eba21
-
Filesize
85KB
MD58e1b13ca3c2fa029fd81c10c21972a5a
SHA1661b2ecda26fc7ef0c30fa218f0b35c5413442e3
SHA25613250014fe0a9a63bebdfaf3fc1b5e991e2f3c96bc8980cd76fcd640fbf2ecc4
SHA51242732b54ff76004ccb8682421425895025c97fab34549e98de84fced17132cf16604b4538815689d604b1cac1d0f3bbb369e7201d79779aa42d63a2a9374e871
-
Filesize
212KB
MD508ec57068db9971e917b9046f90d0e49
SHA128b80d73a861f88735d89e301fa98f2ae502e94b
SHA2567a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD53a64a65852c61d098d42cfbb926dcf19
SHA192cdbb5229b769daf5dfc862a08ff390fdc21a97
SHA256506584853e1c637a85a96043f680ce5970e55bc950e61dabdd02f89b2cd7c97c
SHA512079132c15c9e7046c30dcc82686753ecd3c6bf9e43a0ffa7f304b96893932b71e2502c3e15143f66993621b57925a374e1b9178b8c67e2142ceaeb3713f489d5
-
Filesize
20KB
MD5303659b7df66375f20320f5c55bd6a88
SHA1c58aeaf4bdbe91cff1e96deff8d9afe87489aa42
SHA256c04bbd8e6335d041e0008d499c86baff902faaf598de149119d162bd8e272edc
SHA5128627778441997ecb7c9644b895a757e3b27c0e1a5443c9f5665aff3c0413f45536554be49bc4268b8e4f42494fb70928d0defe4a81e11961e8cb6b0413a2ae97
-
Filesize
12KB
MD56d4e8e42e8cf093c2f931cd22ea45aa9
SHA1445e20ee5d1bdd76972618334a3b89c961da873d
SHA256f07351e3f4c1d6e80ebc58ac46f645330d3133518760dc58e59d624525de8923
SHA5120a18d4d8b2e1293e3aa41da3aeb33b2fe931b31765f5c9b49a28b2492275f4c8312b9bab3eecba012aaae7ad95304a7d5becd9b79ae124a24a908df0617c35c8
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
3KB
MD578e195503ee105655a6e90cf1b8badb4
SHA1cb9102d07b97c2416aa242e338d265ed4f678b83
SHA256877bc5936408b94b5e51a72c2f29a73fede201cdf52b9c0e47bbd1cb88303e18
SHA5122a051f5b21544b08059ec6800d670d9f891051b32776ef3472a155b15ebe3ea2955d7e0916b5674a9ad2d0735ab40e0dd38dd0cc16dc61306847e9b5e81bd620
-
Filesize
8KB
MD5681a90e893ffdb0ab1448102e4ce2a12
SHA18f3ec720459e583ee9cd33e5f5206c550aee6089
SHA256fc272832fd48c512934ca49adc17af0176b8ac8de53cee8a69b027fbc64a9c09
SHA51218c409fce1f680e4274eefe99ed2680ddf0a61067c0247b0c52ac0ebfb3db447ca6bae6548eb578ad26886a6c254fd67795c498293aec95afb14a336fbce9f59
-
Filesize
8KB
MD51f50da2708039e5829be134ce393c462
SHA1d0a83a1427a9a2dacfaf71f93af556f335b12bd4
SHA25662b29e60589c1657fdf72b1e257da36261bd4ec2426181140b774d68661b2407
SHA51201517cc1e46abd3d4db800d0b8cff495aae1017042b250b91bef07a325733e1f77f9855c39a993523c27301802932a0d3a53607200150668c40cc770aa56acce
-
Filesize
5KB
MD5eb62e92e0edd57cc39adb363e8fe5be9
SHA1d16f352e73973455c7deafea522c197c3745f3a8
SHA256cb20927cee3b2419eb7b6752a6f955a4de0b8fba8c1167024509080fbd7f83a2
SHA512795552d9011d3aafba3587b61cf9ad610326b5424524e44b1dd2db566b61659d6d88b64e763712072f6d03c92cd542294ccbcbcc798246a9755c5f3f7f29fcb0
-
Filesize
7KB
MD51374123ced5e0bdf792f163e2ea31f57
SHA1f8e91af0ef2d1f82179d229f72088d5c21a0c5f4
SHA256b9079744eb1d84fab5ed43133b77b628074c8627ac8eb04db1dfc9d90a2f01a7
SHA512d9c3c0b42a0676144261c732760ba96c30dcc9c9e0f64c11cb3e80d4c9fd071ff1cfc6b2d7678924a84d5b18f7b3741743a2a34b09665e6da2b19d7f084cd4ef
-
Filesize
8KB
MD51be53d76581da2ee82a10a682b6e655d
SHA12f8648c91f5fa21c250325d5f85e6ed647cdabc6
SHA2568bdd041cce24ff3c18e67184462fd6af061e0d2f785d95d6b4c7ed150ec34707
SHA51230b4893e0fe91019a033866f493018acc9a3e1bf8528b762ddaff2711dde4923b28c8801e7a08ef69f389d0651387eefa23fde6369c4bf6ac4c07c344522c511
-
Filesize
8KB
MD586ad24d619caf9e7d781fb9728ab4c53
SHA153f177fa507b04954684854762042349799f69d8
SHA256be58ef54ff981d033417882b7a656bd7f2e43f521e5ee9796612e0eb1b5558d8
SHA512f078e3796b0b2dea0b75bc6d8d4b71b03a03dd731a73ab9e67c86d185fa10f29b54c2bd1d9594696806ca194561f2cc0b1820643f4abd0e3ecb5e0b331ab26fa
-
Filesize
7KB
MD54b541ddf7a2743ad384f4c2885074f34
SHA13530eac56b476cc6bcaae90d2e8691d85cd7c456
SHA256f5f6fb8b4a252bf5913c8747282d1f422baaeba394837c7ca69b0f23ca623a43
SHA512d1a90ec3754c2384e8a49eecbb1074ddaf3fa1bd4893cef77a56b0a3315c97414655fabb92e3b1663d3bd4cbff2b9ace46a0323f0a5dd910bd752800f0431cf2
-
Filesize
6KB
MD55980793c85f73ce6423ab11ca74e9c59
SHA1c7d0e8db3f8d35cb8c1975667c2ac49dda8f7ed3
SHA25697102e3570a907cba1c0670c210599d182be19dd1c84d5b9f499b5815c5a837f
SHA512562de1fb4fe97e8afa5b893effd0ac92c60f8736d16828e4c89d8873d79ea4d99bdc116c28030bc15e01489ca9a54e9780bcd2eddb81bd934d01e5bccce9f47c
-
Filesize
3KB
MD5986f28d0d2251817ce1cd09e4371c98e
SHA1d520e1dae3bf3bd26548c9109dbaad2e23d008a7
SHA2561f4afaa48726d51b986d2d1ae3eb699f1e67827071ded118aec527535d24b623
SHA512696bdaf290dd44e6e6e49d9b7914b2ddef2efb8963b559c3bb59f9e3b1ec118b7b9d888e27fd7f5adbdda908ce155d3db4332cadc78d0ce5bfc2bd4e3f34c293
-
Filesize
3KB
MD5c839e3db4b1bf62482cf0cbdcc884465
SHA1ec259d9b3612977d838fe3632904496e5d706e5b
SHA2569886d6c19831791c6a6572b888307fa0a702f736582b373eb5e91bffeb8717fe
SHA512baff5c767e81e12cf3476c71b90f9a6c03e3d546d5ba673440d3f00fdeee5a3c9236a844da4f6f602c98abc41f7810a54f95ea656262f07190c3cb08b4016de3
-
Filesize
1KB
MD5d6013b59cb4ee25ab0e7ebec35803045
SHA1a86ecfa242d2fc53e22d7773e9266912a378a6c2
SHA256607242a59f6350e5adc04ea3fa0aa1575188c0d9794bbd49f448997652450769
SHA5124bb78df8435be3f36d2610d88758a3e0f4866dc6ab7426169277676bc1c40bffcd2f53c02ac64d2ca023bca16a11326a0af45cb3c1c60b5359ea8dfaf00e364f
-
Filesize
3KB
MD5cb819fdf73db2d90c4665915178fb43d
SHA1cd7723c6a7ac664d7da59be2bc0b21258cf33cdd
SHA2562c1dc40a1327ee3057f5adaa3844ca28722cab4b3908a715e3f63143e6b3764d
SHA512087b5099df09265ed65e3c67c3e0547148e3a931fea48f915e1efa2700afadc69dd8e735909f8a88c26db48a842101f3bfc794be2c0df76e21c280d88c403a22
-
Filesize
1KB
MD51f92dc6e8e7ce814885d9e6d07366619
SHA1e835efd5761f558d6d262cde329c225bff666b1b
SHA256280868955808177764a0a1980f32eb96cfe97a485251182ab1ae90f90d61b839
SHA512f7e6a6fb6ed9abb4a6900fdcdb70f847a7bdb2742548f3971cc59cc8fbd96329e62fb20bdc30c50f4fd770be5ff5f991886ae2d26c4344e66dcb25d51d895c37
-
Filesize
3KB
MD561415c8eff3c12ea263bdeb1220c58b8
SHA113d7c0909305285e58e7db00799b9bb6d2b19e44
SHA2560bfd6a2787ca469f3059a4fa6eb19732a77492bff831085626900d358d30cf20
SHA512f9614710d2155de5b0998f4c971aab8b1e0411d0dba339824d596a2932971b0f4f32f1c41064bc73a05fabe341a6802fae0598f33b2d9213c6494a812501e915
-
Filesize
371B
MD5301e0d3d1008abda9d49f20d4f242c88
SHA139a01084f3fa52729b3a0aa81b9127468449588f
SHA2560c1cff4dc171a7c2cb69026a3f1be1c95d6fb7da618766fd6192f95c78517dce
SHA5127a773b1fb8b94a8b2dca59a74fb3297a124dae086b2a33d886b5cb3a4a8542fdb42da3492c2072716dfe94e439aefe80bc70c2a7b90e271dffb52e2800c13eb0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16KB
MD52e68f7fb40b89156b6eb280408ba0b33
SHA1d1ef510d03ad27a029514fa76142920e2a92fefa
SHA256e49ef4f9f70f75d92e37922874c2b3a7fe2ee4e7dc7421c6e1070b19819f2c95
SHA51285506ffc415b63bbd047e0eb6c048057f5ff727e6c5c6d854b0364f762a4471d5f8d70084826b2df04970f989438da8e58c2d5dc1b1b82f829d256440dd92b89
-
Filesize
10KB
MD510c47abc139ad6ff6b124b0a2f911084
SHA1433244b9ab534e3b1e84820ee7066dc108e6ef85
SHA256331441b90164c775d4b1c256faa40607a31945570d162bb5c696415c3b2f14c5
SHA5129a8307763e0eda3b94810f5718f1441ce4069bb30e459939eee0854c3733b290560f818dc6bfcb874cb3f982101074bd6d44cc70916be1b32258f9294dff8610