Overview
overview
10Static
static
10FD4DC9B2BF...4B.exe
windows7-x64
1FD4DC9B2BF...4B.exe
windows10-2004-x64
1Flyper.exe
windows7-x64
1Flyper.exe
windows10-2004-x64
1Flyper2.exe
windows7-x64
1Flyper2.exe
windows10-2004-x64
1Flyper3.exe
windows7-x64
1Flyper3.exe
windows10-2004-x64
1Free YouTu...er.exe
windows7-x64
3Free YouTu...er.exe
windows10-2004-x64
3FreeYoutub...16.exe
windows7-x64
7FreeYoutub...16.exe
windows10-2004-x64
7file (1).exe
windows7-x64
10file (1).exe
windows10-2004-x64
10file (2).exe
windows7-x64
6file (2).exe
windows10-2004-x64
10file (3).exe
windows7-x64
10file (3).exe
windows10-2004-x64
10file (4).exe
windows7-x64
10file (4).exe
windows10-2004-x64
10file (6).exe
windows7-x64
10file (6).exe
windows10-2004-x64
10file (7).exe
windows7-x64
1file (7).exe
windows10-2004-x64
3file.exe
windows7-x64
5file.exe
windows10-2004-x64
5file_ (1).exe
windows7-x64
7file_ (1).exe
windows10-2004-x64
7file_ (2).exe
windows7-x64
7file_ (2).exe
windows10-2004-x64
7file_ (3).exe
windows7-x64
7file_ (3).exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:43
Behavioral task
behavioral1
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Flyper.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Flyper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Flyper2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Flyper2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Flyper3.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Flyper3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Free YouTube Downloader.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Free YouTube Downloader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
FreeYoutubeDownloader11012016.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
FreeYoutubeDownloader11012016.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
file (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
file (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
file (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
file (3).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
file (3).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
file (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
file (4).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
file (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
file (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
file (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
file (7).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
file.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
file_ (1).exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
file_ (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
file_ (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
file_ (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
file_ (3).exe
Resource
win7-20241023-en
General
-
Target
file (4).exe
-
Size
97KB
-
MD5
241421356dd99063199983faaaec1d8b
-
SHA1
2f65f6007347bdeb6bce09f7b727ed3db30c86a8
-
SHA256
ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5
-
SHA512
59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee
-
SSDEEP
1536:WUVdfhkoWcPdBW4TVu5nHhJKqMkwN7Y0S8iXU0CsNdyukfP+:WUVTVg5BWkfqUEsNYFfP+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kasper_zaebal.exe -
Executes dropped EXE 1 IoCs
pid Process 3120 kasper_zaebal.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file (4).exe" file (4).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kasper_zaebal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kasper_zaebal.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kasper_zaebal.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 4624 file (4).exe 2988 msedge.exe 2988 msedge.exe 3804 msedge.exe 3804 msedge.exe 3672 identity_helper.exe 3672 identity_helper.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3120 kasper_zaebal.exe 3120 kasper_zaebal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 5060 4624 file (4).exe 82 PID 4624 wrote to memory of 5060 4624 file (4).exe 82 PID 4624 wrote to memory of 5060 4624 file (4).exe 82 PID 4624 wrote to memory of 3120 4624 file (4).exe 84 PID 4624 wrote to memory of 3120 4624 file (4).exe 84 PID 4624 wrote to memory of 3120 4624 file (4).exe 84 PID 4624 wrote to memory of 3804 4624 file (4).exe 85 PID 4624 wrote to memory of 3804 4624 file (4).exe 85 PID 3804 wrote to memory of 2404 3804 msedge.exe 86 PID 3804 wrote to memory of 2404 3804 msedge.exe 86 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2928 3804 msedge.exe 87 PID 3804 wrote to memory of 2988 3804 msedge.exe 88 PID 3804 wrote to memory of 2988 3804 msedge.exe 88 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 PID 3804 wrote to memory of 2332 3804 msedge.exe 89 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System kasper_zaebal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kasper_zaebal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (4).exe"C:\Users\Admin\AppData\Local\Temp\file (4).exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5060
-
-
C:\ProgramData\Media\kasper_zaebal.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.eu/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab22046f8,0x7ffab2204708,0x7ffab22047183⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:83⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:13⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:13⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:83⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:13⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:13⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:13⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:13⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6112 /prefetch:23⤵PID:408
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5241421356dd99063199983faaaec1d8b
SHA12f65f6007347bdeb6bce09f7b727ed3db30c86a8
SHA256ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5
SHA51259757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee
-
Filesize
84B
MD5c6f7299be3ecbb88acfde79c4dc2b63c
SHA11ce9da1d060431581f08d3fa83240aab5b281d81
SHA256a22d2d0a98cec8c7efccea543dc7d770577b5a966735deffa2f1bce9ecfbad5d
SHA512b7ce561caff59f6a08702f21dfc953b028ac6b47289c61f85468586ff9f941490bade7f78b4eb198ae958dcb58204c85db3b6ec1d071d9b0af6babe9534baa27
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5d053a3b8bd9d67888ccea515559e4f17
SHA1b35e96247d46700d796346273cf58e7b9dc46a29
SHA2561c8bd26b46ca691e0f20d2dc2755e035736f2f722d37b40f942a1295ec38db88
SHA512a35ca5e15553456398afd7133dc5720680787e4c40ca79d0cdea62b31fe3f9113860b87a6a22d56863e6d1eb5e32a4d8af82c8c2d923efdc66483d7138c7d20d
-
Filesize
1KB
MD50cda9393746551fa07b11d2f2b7725d5
SHA1e4534e2dfde2e93fe58f10caaabf398d7e097006
SHA256153356fc7427a06931da957175ad30a6059d57fc24fa7597591d28d0485c5cf1
SHA512e1890bb66728811514d4bf62b5f5fb877fb0ab4667141983f54e7b6b0ba1c4342e3ce91cea08de8070856d6d96bf97d91adfb909ba3a1d64d0370ce393258073
-
Filesize
5KB
MD581f23c46791e7860158ce7413250e6a9
SHA16c2784233999dc9f90b847fe196642a31db90640
SHA2566bae2d3badb314a4ad0676fbb82c7e74cdaf2e31a9dd0247d3bf8250363c5abf
SHA5129efdf9cd8936bceb6679a5d81e46aadf56945738bd328ffc87f389f701716d97e34996f927529093f918ace4aba93be65e30711931ae2d29fb8801567b7e9f3c
-
Filesize
7KB
MD5b99af258ebf8d83a6c5da9c1b7e1f864
SHA1970796f8bf5a6e440710ae4c368fadaee560ca61
SHA256a01ce8f593fb80df32ab53d3a691421160211ce2bd74c07c7371ef2ecd2ffd65
SHA5127a991be6b7e6006042108e5115d9b2c3a5b5a60a261f7f51bd71a924524ebf4dc13e536a52f40f1c6a493ceea6055c053086c7633590eafc1da0c00011886e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize168B
MD5865a81ec6800f75a80f133fab6a02204
SHA12dcb53af590d0e4a24fe9bc4b12b4e0229894116
SHA256409ebcee27ec1316c74074f86e8df9e3f590404dce79da38a40cd3023b2e0da7
SHA51201816483fcd85c4ffbc099e34eebc8fc9fa36a027a0734f9d377b7d8da2d5c5243fe45d052a618303cc33adeef55239e441f9cb137a6b633f6028895ae48b9f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57df06.TMP
Filesize48B
MD54d1a652772e36a647551fb3d707e2353
SHA18725a97bcc05e9bcf4ae9ebd5f76a21a685969ff
SHA256f57f8635cd075bc85847c8646a578775f6ed6fb80dec0884765747ae487bb712
SHA512da51f640076245d4e6967d3ecbea2612ed79268b5324d73364bd48877ab56b40dd32ad6ac0a130ddc11503db90d5ff382c41573fa019d071c40cd6bcea750ac9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5caf1e9586228ad594be97aa8144e0f86
SHA176df69e9e9d7fc10b6197fe84593e4306f630c7a
SHA25699aea1a78f9996ef13563a4ba0759b9b942a176ab638816e06dc442cef0e2e67
SHA512c41d61563a6f20fde297f2822718e7b4764e438aba0aa86e748d41cda441e66c6aec1097e5c960ece65a59ab05c23b1da7e6284e1f8d1fcdffc4e1f684e07305
-
Filesize
11KB
MD5971625fc0507bfd05b3da76e4591caf1
SHA16229fd6d4116783073c1033fd3c81faae7a1670b
SHA256d13e78fd815b7231639f0bb207da0567f38de88b2e7758631bc3d65497d7fdb6
SHA5127cbe27ea80f1232d098d32d74b1fcf529b7c5dc1a65ee7e08fd7f1d4800e75148de7a3774717588b73f948910845145abce0b4b30914af2de926a832d344f657