Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 15:40
Behavioral task
behavioral1
Sample
FRSSDE.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FRSSDE.exe
Resource
win10v2004-20241007-en
General
-
Target
FRSSDE.exe
-
Size
481KB
-
MD5
416df385ee8cc5b57c5869cff2142747
-
SHA1
a79848e3b77e0e995dbc1b87c1a82b00bf4827eb
-
SHA256
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004
-
SHA512
f76e9cb4adbfda277d87ea85473fe4554b77f8da4c0e86b073d31046a3f4cf37a75336eb44fa3d009d20cf28685a41f191148db8b3167524aa46e598eba9bca0
-
SSDEEP
12288:LuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSx+DY:O09AfNIEYsunZvZ19Z6s
Malware Config
Signatures
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/544-18-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/220-32-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/220-31-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/220-37-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/544-27-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3392-25-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3392-19-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/544-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3392-25-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3392-19-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/544-18-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/544-27-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/544-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2804 msedge.exe 4472 Chrome.exe 4684 Chrome.exe 4264 Chrome.exe 4536 Chrome.exe 2888 msedge.exe 1184 msedge.exe 5072 msedge.exe 4320 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts FRSSDE.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1852 set thread context of 544 1852 FRSSDE.exe 89 PID 1852 set thread context of 3392 1852 FRSSDE.exe 90 PID 1852 set thread context of 220 1852 FRSSDE.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRSSDE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRSSDE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRSSDE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRSSDE.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 544 FRSSDE.exe 544 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 220 FRSSDE.exe 220 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 544 FRSSDE.exe 544 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 4472 Chrome.exe 4472 Chrome.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1852 FRSSDE.exe 1852 FRSSDE.exe 1852 FRSSDE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1184 msedge.exe 1184 msedge.exe 1184 msedge.exe 1184 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 220 FRSSDE.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe Token: SeShutdownPrivilege 4472 Chrome.exe Token: SeCreatePagefilePrivilege 4472 Chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4472 Chrome.exe 1184 msedge.exe 1184 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 544 1852 FRSSDE.exe 89 PID 1852 wrote to memory of 544 1852 FRSSDE.exe 89 PID 1852 wrote to memory of 544 1852 FRSSDE.exe 89 PID 1852 wrote to memory of 3392 1852 FRSSDE.exe 90 PID 1852 wrote to memory of 3392 1852 FRSSDE.exe 90 PID 1852 wrote to memory of 3392 1852 FRSSDE.exe 90 PID 1852 wrote to memory of 4472 1852 FRSSDE.exe 91 PID 1852 wrote to memory of 4472 1852 FRSSDE.exe 91 PID 1852 wrote to memory of 220 1852 FRSSDE.exe 92 PID 1852 wrote to memory of 220 1852 FRSSDE.exe 92 PID 1852 wrote to memory of 220 1852 FRSSDE.exe 92 PID 4472 wrote to memory of 460 4472 Chrome.exe 93 PID 4472 wrote to memory of 460 4472 Chrome.exe 93 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3004 4472 Chrome.exe 96 PID 4472 wrote to memory of 3360 4472 Chrome.exe 97 PID 4472 wrote to memory of 3360 4472 Chrome.exe 97 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98 PID 4472 wrote to memory of 1148 4472 Chrome.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\FRSSDE.exe"C:\Users\Admin\AppData\Local\Temp\FRSSDE.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\FRSSDE.exeC:\Users\Admin\AppData\Local\Temp\FRSSDE.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqdvvos"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\FRSSDE.exeC:\Users\Admin\AppData\Local\Temp\FRSSDE.exe /stext "C:\Users\Admin\AppData\Local\Temp\zsinwhdmby"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3392
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6b1bcc40,0x7ffb6b1bcc4c,0x7ffb6b1bcc583⤵PID:460
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1632 /prefetch:23⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:33⤵PID:3360
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:83⤵PID:1148
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:13⤵
- Uses browser remote debugging
PID:4264
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:13⤵
- Uses browser remote debugging
PID:4684
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,1385951234936549841,9950930482043278361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:13⤵
- Uses browser remote debugging
PID:4536
-
-
-
C:\Users\Admin\AppData\Local\Temp\FRSSDE.exeC:\Users\Admin\AppData\Local\Temp\FRSSDE.exe /stext "C:\Users\Admin\AppData\Local\Temp\jmoyxzngpgjif"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb5be546f8,0x7ffb5be54708,0x7ffb5be547183⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:33⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:83⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵
- Uses browser remote debugging
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
- Uses browser remote debugging
PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:13⤵
- Uses browser remote debugging
PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2120,16613222806372845370,12195809798776115364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:13⤵
- Uses browser remote debugging
PID:2804
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2588
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4328
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD58907739e05b27138de347db27387d9ba
SHA1dc1fafa7ae8bf45bc3b53fb57f9ca097156747e2
SHA256f02a04001d4b220a138217d83f868eafb5472bf282ff0d49453f0d3aa60929f4
SHA512bbf14611057c6f17f293cee715e4e05177952a2349c86ba4adf62e2263dab88b921f680a66145a033e15ff244d50f2639c976b20bd8c3bde169026db2488dd7a
-
Filesize
152B
MD5ce4ce6ca73d65a782d0e8f549ff0270f
SHA10672d55433b1006aeb272aa0436e9af482f8ab90
SHA2560ec7cf22d602621ce2b861cb17beee0658dd6e4d4d4d5d3fa9aa0ae2106ef96a
SHA5124b738899ae2af84bd113b29ecab3a45bf2004c98d399dd1a9fdda2858f7e9821d8ebeb04b6d1fbb87966c039c9bed399cbd71bc96e1b72d92bb70936eeca6d3b
-
Filesize
152B
MD551e63b7aa77cb75fa12dcd018930b9e4
SHA1d3be65dd6f424116623de95484cd6a03eff6ba73
SHA256ad58a4e0fc049674417a3e801b99c726a53fc174e315cfeab2a19b39e91f7eab
SHA512fc075b8f394d9d0d1aa5d2c05e2b075048fc139838b18ebcb9300ce9a4969293ed3e4bf9536dc75a068f29535645700a78782d265405a51092b2876964472106
-
Filesize
152B
MD5c8080ed4daf5595d1e27c83b5c134d48
SHA1d9e02409c077671598b2d569e7effb92786fba39
SHA2563bb8d3828b34385e0bb3c37273a261b701ac32af1badc3661df1fc513e34db99
SHA51225722d0d2f47de4cc2f2e6b5f21f456109c08229c124fef3745e3883ead72becff5f06486375d1db15662fe79ceca68cbce3568aa3bd2ed6b8e20cb9dadf28ec
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD5263f267d461abbfd6910de07d6cf632d
SHA1ee179f8895c5c27d7979c24f54fceacb80c34c14
SHA256ed3fd410953171da3cd99beb357c34bc3316822e1ce39f2a469cfbff3466e301
SHA512d00f64a0be7ed9527ff25b2f155d888ca43f6d9886417720f38fbcfedda55651ca0a0d9408b689fc5da9dc0497207905fcccadeb6242c15b6b9b3ea11fcd551e
-
Filesize
263B
MD59467c97fc228721bd07cc7629f3a5c55
SHA1fdb91fdda7280da8d6567527e6d67163621f3706
SHA256161e2ef2a4b0bfbf14e5ebcaf7a3703b5c5ae0af84038e24b1373aec739a8aa7
SHA512dc2a5cecc711d91ecd0f863b9318633317181220e90942ec91f7b6947faaa68e2223e0f95c38d8a7ca564d19de59935a2b560ea8cd0a3b62fec4bc78ad949e99
-
Filesize
20KB
MD5b40e1be3d7543b6678720c3aeaf3dec3
SHA17758593d371b07423ba7cb84f99ebe3416624f56
SHA2562db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16
-
Filesize
256KB
MD5d8671cb685cd696089f5c271dfc217e5
SHA1704c946ccf2568df91e4fe00e1e29f6f198bab24
SHA256c5bb557049271773c7d1178084d2782b4712e979ec6d0957867b16a0a669d2d0
SHA51294fbfe64d0d8fb9bda80a8d98def5b4fcb0d00dccbfb724a17330d09938f32b4ee927d650c52d334687ea168eeb5a567591285c79219757be42cdbc4b48f614e
-
Filesize
192KB
MD5d30bfa66491904286f1907f46212dd72
SHA19f56e96a6da2294512897ea2ea76953a70012564
SHA25625bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA51244115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
275B
MD5314e4e7a78dc0e5b09e09d425494eaa0
SHA1358b9700fd9116a91b16406a6ddec59bc6656357
SHA256fe7e1c95c4956af67a6ba4bd79c6944dfa0e0fef126fdfadc4e27d8865e4aee7
SHA5121bdfc2d31006f6241bb6770401f4fa6ef124d19c6ff1cc6c9e2c84264ece22b1118875bc4feda3d2b69436b255df3d5bc6e43d61cef856bd1fd8eff3cd839971
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1KB
MD50028f70256f7d2f6d130f48386d224b7
SHA153788d9cea60038540d303b248c36bc182903d61
SHA256220972c3fbc7d52befc121a62a18b240fcc6cf9f2e45986da3fd1d91bbff4867
SHA512662289d3e76a88d9f532f4d5ee33595f1077d5da51eae7624bae36c2009c257b3609792f2577be711fa4322ba0c1afdd1408e031786c8d2bc6a6b9dfb58f8489
-
Filesize
20KB
MD570914da90e83869a542f1785ec9cde99
SHA1f87f7edfadfa807383abc29dfc103a8c03dfc516
SHA2562d6c537030bef94a9de888a704be5ac4a3f217453035839a6874fdcfc8451d13
SHA512e07328eb379768834bbe9dbc9195928a334212e7fe29efa62173d42c3e5d456c11d181319cf76711082c2691f82794d38be0cbdd4dcc2c5962838834bf987055
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD575b40455c9a028f3930bfe2611baef9b
SHA11efd55860c3fc15c44fbf5ff35ccb8f4e0a5b8f3
SHA256ef3c2b9e19dfb137f6a7e9bfd6ec6713382a7349648db28ce22ed4fefd797516
SHA5124d44c5d35ef7eafd4805621a6557694eeba9bb2b720a3ba903bccd572154fb943c240f23bd8e4dd2ea0a0d1ee055976e4b413043e645bb050d26315e018a73dc
-
Filesize
5KB
MD585b10a031b19ae463d8a4296aa258855
SHA1043b82fa659287b7ecf4336547cc30783fc32626
SHA256d3ceab1bfa8eb13a83c9b18b9daa5aa283220897fe327ab8c4b880a78e9c05df
SHA51229ec09bf0278ff71fe255c04eb01feda797b35701292adfa5515d29b8c823cb2b19780652e7950b9e21cf16fffb36568b9d903051cf7d7c69db5b1015f6c90ab
-
Filesize
24KB
MD5b273175ed670469bf73f2500c9611c77
SHA14ddeb5747309350511b11ad3917e18b254f96880
SHA2563dbc8f1743075e9b8e13090f9de6097bf4f0d1d093782673de2c8bb046c17147
SHA5123f64fdc3f6a3e6dfc692ec7eceb1da26ba3476bb75b6d18ea3f834e52e8e03fb1ddd11168e2cbbc0f260b25154a7e8eadaff78d4b50eaee63c3e4d682a57a889
-
Filesize
15KB
MD58fb5b9ba3b303f6c3caed559a563b9fe
SHA19697ad8495afb27aacdf5ad7359dd919ce22f0ce
SHA256b2ae53cd2ededc97e559fee2ec6de52ba7aa615093d1a4ceaa86d53e879c6713
SHA51230a776a4ca19360216eb8d66819e28001fe552194a12f1b2d3e802f5a8a1eb7a690ea2dd4cfe2c94324817bc683cf487009d925b0c0acf5997394146b9bf4566
-
Filesize
241B
MD59082ba76dad3cf4f527b8bb631ef4bb2
SHA14ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40
-
Filesize
279B
MD506a953afa03de18370efda93723c7cab
SHA16c7029d727d34c5582cdd37a3590bdbe448de29d
SHA256d5609209daf3995e10631f67c0dcda27e41b40789ad9ae73e6a19107f38ecea8
SHA512ba1548bf3a4938af22b22fe18aa8d1e3ff0985be80e35ada99cca2550a82ef6f303e5a179ecb4712140b7859566dfef4e08743e7d45c4c3b55e2bf52bbeb1afe
-
Filesize
80B
MD569449520fd9c139c534e2970342c6bd8
SHA1230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA2563f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367
-
Filesize
263B
MD5dae8712c771d2fb35a96c1db468da2e8
SHA19d29b94f026d48771ebb45e358015c499fef9f89
SHA2561624d967878ce702f87f2b21b20676d0396e4ae87232aac398d3d197814f8368
SHA512ac33227df7b525c978785c360e4f1bbc1335e79d03c7468c66d12489137ed59524d36db5d24499a2d3d50d0d1ac8c66707ce93c78f68a8d0cd39005df85689b9
-
Filesize
40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
Filesize
291B
MD506fc8356695685b9a0ba90b70536c29b
SHA12ae9af2f7f36e5b0b3a3add9d7751e7ec7df5691
SHA256ff5055f2285d7bcdfd6faf191a195eeb2a6c6fbfb1cb88d33dcbec929b55d5da
SHA51254e56fabcdd38f9722fb924ba0c955a4f75404fb5d2ac203b77932627cb955bd455c56241862a5dffafbece6e09f250f15d099eea91c54bac01937e679e7dfc9
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
269B
MD53474b4c1cd3e1665a12625e213c1e36d
SHA114e6fbb6c257db75ea1fede3bed6fa59dc5848df
SHA2565350ec4e1a9712795ca9c43a7d0c9a3c0f671bc320910917d6bdb6a89b919aaf
SHA5122e1b163fab5fe78953452efbfc7c7f36d959adf85f616b18cbbf92cccfd2d069f1ef5a43b337b7dc1f6e3e606f7db32e4bc237db6ec8ef0a2cbb4b2538099f0b
-
Filesize
20KB
MD5986962efd2be05909f2aaded39b753a6
SHA1657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308
-
Filesize
128KB
MD5c2caca196d83ae6617fa7778d17b24bb
SHA1d12dff04e6822b27f26541cbd47646a966cb3613
SHA2568646c506982886bf9e5945ebc3698ba321031dd98dcf5a1e90af12f5fc3afa33
SHA512271f9eb11fc8280f5073885e495123823cffc7ef78806ca82eb53058733cd45d3210d1b9f932d913d41fb5a73d667d0560a192027ba0e910acc0bf065a5da91c
-
Filesize
114KB
MD52852546fbf9481987ec645425d88cc18
SHA188941b154f0a1216544fb9ce481801b592d27166
SHA2566e9b2e8a50f3025d0754dcc55c5f6543e9d9ef81a18af3aab2a93e2ff02500a0
SHA512a29a6c73ebe83935153639590efec7d429ac5fd388ed4c6760f396fa186a486375573d8cb36c05860b61e6fabccb2f146c16706573f1138f3635f9c591ceb005
-
Filesize
4KB
MD5ed57ce9f45d25d224d60ddc2a51b9878
SHA1b743abfbf3c8ae4df276d41b58b61316a1d8cd83
SHA256127ae15d00404cb28c6be23e19f31479f7e18f20d0a7bd27a28fb83319123f14
SHA512c0fa90faf5a7a3fa9934421d049ae12eedaf93d188737a5bc1ff87a099947eb0aef065faed50bfcc32f154512fb5a9380819500bf01e4e1b0bfc55661ccb0f30
-
Filesize
265B
MD5103f1dea167811fd0587f9601d206d01
SHA13a1d4f8ffa2d9a4b988e96ac28443b8aa9e6e5a6
SHA256317ab04c0e060dd9efb5bbb8c534b93bfa5f09dd074d37cbd24e15ae15098922
SHA512617b61f911a98ee12bd7fed22fbc299ff7cdf786c63d34513a3b682e280d7b0fcd401e4f0684b4264f6d716d3bdea72581253105d5983ab647e9ad45fcb9baa6
-
Filesize
682B
MD55e0f47f592593df2240cb84abbf84657
SHA1eedce8fc937eb55ac5e4bde41b0f171a74d7a518
SHA25658ac38e819d364c349400ae568e580924b1a95b321459ce9cf9da4287fa19eac
SHA5125aff51d8e0b5e4089b9b9d120609a622d4cab4f39c038ecbfdede38539506e155b076eed103439a2363426f614b377e44fc3ee97553e2751467e23497beac702
-
Filesize
283B
MD5e3ca234d8a005c0ef568c901cd6e3a64
SHA1c48b05f7056e9928f8b9aefdccd6d674a238df1c
SHA2562ddee580eee4947d7f4facf2391c9760aa9a83c53ed9951989efae8d2b0abcea
SHA5129085f520ce85f33256dce8eca09f245271770fde90fdb43a6d490ecd27116f53c3285fe3dd1f893808e67fac5f549eceaba1f0d136b8ecf8c60328689a2a33a5
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD5aa5aa02166cc869d5f88a7340c694382
SHA18355e4d180b62299ee6a4a1383aaa9646c43b2fc
SHA25630b19216f8541b5e1c53b732c52626fe7f1e730b52555fb61bb9858045314f50
SHA51299df38f423e55f1f291e48a5252f9a81c1b100745b8856130d74ffcb3204dc63b99ef87bd4e912663421f4aebb1d93d964b5a7b85ff9ccdb6a9eca85394b465e
-
Filesize
116KB
MD5ca48ee6f20a81023e091f09e90eb5a8a
SHA1fe73820f65ffcc3cceeaae68f3b740f88ea30946
SHA256b0b8cdc01cdd5eb9e7cf77559eef1b75eb09b163800ae256deb3aac528acca6a
SHA512a08274ae8066c53257aa97a9d9e28f6ccca4378111755fb0f5c6329b09475d8b8f1f84fca3d88a7e7c0e1c856d3b25fb2a3559939f6bd92997cce34005b032df
-
Filesize
4KB
MD57aca43b2800ceb18b3ed2326532545de
SHA1d4cf207ef85bd749d59c1cb27a09c167ee21523a
SHA2563d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480
SHA5120e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f