Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe
Resource
win10v2004-20240802-en
General
-
Target
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe
-
Size
1.9MB
-
MD5
aefc9db6299b266732b17284fd21e570
-
SHA1
59ac233b4c821859aaef31b380d73f03ac4c72b7
-
SHA256
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1
-
SHA512
041ddd2dab23cac6dbd962ff2855b951b84168caa1b9b7a999faf6dc185f3428d644392b909288164eb1edc1561c3a1e740b59df6f180327da7a922cfe1bf753
-
SSDEEP
24576:TUd4s3AGKyIRdemONgNyu5dVLaqSPWEmcBfBuI:TJslIT95dUjPWKBl
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7480318146:AAHneAEj7T3jx1iB2ghJbCQTHlT0BWac8Tg/sendMessage?chat_id=968705978
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exepid Process 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription pid Process procid_target PID 3684 set thread context of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exeb810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 3100 msedge.exe 3100 msedge.exe 4712 msedge.exe 4712 msedge.exe 4332 identity_helper.exe 4332 identity_helper.exe 384 msedge.exe 384 msedge.exe 384 msedge.exe 384 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exepid Process 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription pid Process Token: SeDebugPrivilege 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exepid Process 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exeb810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exemsedge.exedescription pid Process procid_target PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3684 wrote to memory of 3000 3684 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 82 PID 3000 wrote to memory of 4712 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 88 PID 3000 wrote to memory of 4712 3000 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe 88 PID 4712 wrote to memory of 4220 4712 msedge.exe 89 PID 4712 wrote to memory of 4220 4712 msedge.exe 89 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3348 4712 msedge.exe 90 PID 4712 wrote to memory of 3100 4712 msedge.exe 91 PID 4712 wrote to memory of 3100 4712 msedge.exe 91 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 PID 4712 wrote to memory of 2464 4712 msedge.exe 92 -
outlook_office_path 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe -
outlook_win_path 1 IoCs
Processes:
b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe"C:\Users\Admin\AppData\Local\Temp\b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe"C:\Users\Admin\AppData\Local\Temp\b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://helpx.adobe.com/acrobat/kb/cant-open-pdf.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb64f46f8,0x7ffbb64f4708,0x7ffbb64f47184⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:84⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:84⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:14⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:14⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:14⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:14⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8132280889042154412,2631797637916210961,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4088 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:384
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3120
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4052
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize816B
MD58a965e76021fb44042f069c842af86f1
SHA133125bdb9d95316ad4e3c920c78aee42c73b88f3
SHA2567272d7e26bef05bc61dc6fb2068ef0ea5c8a90a68712ddedf2a904bc756c2a49
SHA51260361837f44e02bfd3a5feafcfd046946dc9a858f197f09c0ae6d7ba236cad721138b724ad3a3b05cf752bed93c84fac15e9e7082606a9ff1128382634372666
-
Filesize
1KB
MD5dd8ee45a119aefb267c828fef7a5360f
SHA1d9878670ad0ab036028db8b51a0a87c4327bdfee
SHA256b903ca80321ea4b9d1cc22f0b48ab73c4e945a9f43b7f8fd1c2eb64f15bb105e
SHA5127077d642b92030993a74cff170727c5016e9f29256f997098107e7975616f92ca646fd34a24c2251175063512ff6853de1c4b9c8e7efc84990d0bc5d54fdaf20
-
Filesize
6KB
MD5599363d0537045efa55ea90533696ea9
SHA17ac419a73f7eea4b0661d33dafa0c83059cbc5be
SHA256ca347394b8adaaf5a19310410b626e866a37622cd3bd8ae3650d62c41909861e
SHA5127801bfb449abc4229c9b8aa81b62702457939e7d9a307ddc76afefdf6583be9cf3ef514c0b8efd09f3d5749a24886a7c5458f8d606cdce33c03b979211707655
-
Filesize
5KB
MD51fac3c25b0a6e98c53cbcbb2fe2bab7d
SHA10200b33b7c7ab08216d418caa421048ed9d3126d
SHA256b9cfc25e32c4332e6c7e52ba1b43a402041b97a6f2af4e477ee8af6b604d44d6
SHA51215b2e3ab3b2ab074e1c780f16e2e0880650c844bb31bb12e918d2bb50885bf3b3725b563ae963bb9a33bde67a35558d9038f6327df10adb595a28e4c6c3afbe8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD509e69c32d8571de0d2205925a00aa7f4
SHA15f11208eed08a3cb577aa1e729af175d9eab63b8
SHA256a0990d807e0edb255a2ba3f0af8c15c755da2969bacdd9adab6e146ae0060d98
SHA5128c15d7cce46615d74a0f3dc5c27621ca1222ad1668f752577853f0495e27b5ddec116b31722c42b3c39d38cdee0247cd41330e35c2f029ccb0ddaf6725fb5ec9
-
C:\Users\Admin\AppData\Local\Temp\b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe
Filesize1.9MB
MD5aefc9db6299b266732b17284fd21e570
SHA159ac233b4c821859aaef31b380d73f03ac4c72b7
SHA256b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1
SHA512041ddd2dab23cac6dbd962ff2855b951b84168caa1b9b7a999faf6dc185f3428d644392b909288164eb1edc1561c3a1e740b59df6f180327da7a922cfe1bf753
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e