Analysis
-
max time kernel
930s -
max time network
917s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 16:57
Static task
static1
General
-
Target
XBinderOutput.exe
-
Size
64KB
-
MD5
7ca5852a9d6d8c6d86ed1d0c0814a9f6
-
SHA1
692ef8e9600163e66508dd27cbbded5be2f9dda5
-
SHA256
92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd
-
SHA512
3fb5c4a95b6c1fb4db20810d824192aa8b4dc35535151eaad02a60e0a24df38e452d52a8912fb8d114d7d0d58456763cf3eb739086fdb72f838f235e88f877b8
-
SSDEEP
1536:YzUmkjlbRxKrE99uExdTlM28i5pzDwl2qay:e50lb7KrE93Mw7wl2S
Malware Config
Extracted
asyncrat
Default
one-accordance.gl.at.ply.gg:9590
-
delay
1
-
install
true
-
install_file
Windows Defender.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
66.66.146.74:9511
nwJFeGdDXcL2
-
delay
3
-
install
true
-
install_file
System32.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0031000000023b76-6.dat family_asyncrat behavioral1/files/0x0031000000023b77-18.dat family_asyncrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Start.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation XBinderOutput.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Loader.exe -
Executes dropped EXE 4 IoCs
pid Process 2796 Loader.exe 400 Start.exe 3284 Windows Defender.exe 4060 System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Start.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 3176 timeout.exe 740 timeout.exe 5040 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1588 schtasks.exe 2220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 2796 Loader.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 400 Start.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe 3284 Windows Defender.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2796 Loader.exe Token: SeDebugPrivilege 400 Start.exe Token: SeDebugPrivilege 3284 Windows Defender.exe Token: SeDebugPrivilege 4060 System32.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4896 wrote to memory of 2796 4896 XBinderOutput.exe 84 PID 4896 wrote to memory of 2796 4896 XBinderOutput.exe 84 PID 4896 wrote to memory of 400 4896 XBinderOutput.exe 85 PID 4896 wrote to memory of 400 4896 XBinderOutput.exe 85 PID 4896 wrote to memory of 400 4896 XBinderOutput.exe 85 PID 2796 wrote to memory of 2056 2796 Loader.exe 86 PID 2796 wrote to memory of 2056 2796 Loader.exe 86 PID 2796 wrote to memory of 2252 2796 Loader.exe 88 PID 2796 wrote to memory of 2252 2796 Loader.exe 88 PID 2252 wrote to memory of 3176 2252 cmd.exe 90 PID 2252 wrote to memory of 3176 2252 cmd.exe 90 PID 2056 wrote to memory of 1588 2056 cmd.exe 91 PID 2056 wrote to memory of 1588 2056 cmd.exe 91 PID 2252 wrote to memory of 3284 2252 cmd.exe 98 PID 2252 wrote to memory of 3284 2252 cmd.exe 98 PID 400 wrote to memory of 1000 400 Start.exe 99 PID 400 wrote to memory of 1000 400 Start.exe 99 PID 400 wrote to memory of 1000 400 Start.exe 99 PID 400 wrote to memory of 3440 400 Start.exe 101 PID 400 wrote to memory of 3440 400 Start.exe 101 PID 400 wrote to memory of 3440 400 Start.exe 101 PID 3440 wrote to memory of 740 3440 cmd.exe 104 PID 3440 wrote to memory of 740 3440 cmd.exe 104 PID 3440 wrote to memory of 740 3440 cmd.exe 104 PID 1000 wrote to memory of 2220 1000 cmd.exe 103 PID 1000 wrote to memory of 2220 1000 cmd.exe 103 PID 1000 wrote to memory of 2220 1000 cmd.exe 103 PID 3440 wrote to memory of 4060 3440 cmd.exe 108 PID 3440 wrote to memory of 4060 3440 cmd.exe 108 PID 3440 wrote to memory of 4060 3440 cmd.exe 108 PID 1756 wrote to memory of 1000 1756 msedge.exe 116 PID 1756 wrote to memory of 1000 1756 msedge.exe 116 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 PID 1756 wrote to memory of 828 1756 msedge.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3176
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Start.exe"C:\Users\Admin\AppData\Local\Temp\Start.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:740
-
-
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "System32"5⤵
- System Location Discovery: System Language Discovery
PID:7548 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /f /tn "System32"6⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.bat""5⤵
- System Location Discovery: System Language Discovery
PID:7716 -
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5040
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb7b1b46f8,0x7ffb7b1b4708,0x7ffb7b1b47182⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:12⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵PID:5480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:5488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:7252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:12⤵PID:7924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:12⤵PID:8172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5668 /prefetch:22⤵PID:7428
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4288
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fb705ea5c1b86a01ea2107394b993ccb
SHA100801046366a27fbe6e4798e7941a3c7a478bb72
SHA256832ce15c5024dec2d56cd9617e77f64486ce854823016ca8230e8c4e2dcbd6bf
SHA512e4dd58de27c52fdb49f8d8f801a8f1976d67ce1aaf801e8a815b84df0958f01e8ef103f2e2c2e55a812d3970e7324790e152487b1d63f2451a2bf43ba5e0e98d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD564d67b7742bbe4e0bd80a48323ea8de2
SHA159c041a7ee4ad2fa1687710ac51ad4996e14af69
SHA256913b8bef3e731ffb0a4cea4859a0fc2c515c0b56c53408616a05eef4d2ea2924
SHA51211d65ce9c645637dd6c48eba722c6d69bd6efcb4f55570d1ed6fa478a3146661357b026a1475ebb45a5f5af5ae6446a6ca1fed662603547c66382ae0169ce91e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
471B
MD5b97254242718187742be4da3cd348c5f
SHA19b6366d58c65b0330b3c1dc6febf83cf2cf1da30
SHA256d6559a6c6aaf1b9858e759af027d859b83a18babdebe09939f05efda49cc4b92
SHA512d5d5dad0e65fc190000309338bb4e359cdc80d27ac15d6b940c3e054cdc98018d125a52db4c8eed9e2c6c472c496dee2982f114b9fc6a5bfd4edcd578c8e664a
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD59b8027e9f584744ad463335dd2d2c11d
SHA1edef8e31cb92fe003bf6f0df81f0e059f4e51667
SHA256a63d56d7db923a15fef13a508256c2380d1ab80e19bbe4906d8c8d9b82ddade4
SHA51242586ca2581dc19335da9e3d0aef7983f624f0302f8ebec776e6fa30398795811e6433c1d1cb78838a846c501f0081d59d2c73c0d57566362528d0210eb3ac81
-
Filesize
6KB
MD5bb1f18aedb94be1c4a2bf1d1565f4fbc
SHA1cb80bb8cda470dcd20233114bb6f5eb40225b7e2
SHA256931af1a0cf2f7869757e2f09f2887913f963d474402552aa628b28dbf013e4b7
SHA5120d8d11ef748300b0709d1e9355c5b42a51ce6e31cce8d482eebd0d573d90704cfb0f2f16c4c3cae0ac8d8eef5c4931a4f0047bb4cfeff2654a03ff8c11be764e
-
Filesize
5KB
MD5920f383c1c937577faae1fc08d6d3958
SHA1c1176869ad0253fb7d8480ae1236be4b53c05ce4
SHA256665c6042f2990d258d6a7dec3bfe55b037861528daa3156d41c8ee62ce76679e
SHA512eed67e80c22c1741b7b8d7c8ce5270e149314e9eb974457196e861e6801ad8f68ca9053aff948506e517cb200900df16fd182b810fe10eab6012729f8d9a52c2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a7f651660d2e89eb6ae181885bc0c2a4
SHA1da3e82ab55534019eb317cf51971f9d35bdba3e6
SHA256cd8391e838a163476cd1c4e80f319f947a80bf91ee4c880f98ef99546b7fe00c
SHA5123d72c07488076e305d95cf5619777a1d7fc2e7df84379bbaa30f7bc9d165a3873a50276c6e9563ca7f63d79157d97352d481a7c81b99b2a3d8d55d261367808a
-
Filesize
63KB
MD5aba726ec9183c855cfa084ee66f49f7f
SHA1f12f9cf0920b0d3a76bb16027539ba0c13da035d
SHA256fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71
SHA512a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f
-
Filesize
45KB
MD5b733e729705bf66c1e5c66d97e247701
SHA125eec814abdf1fc6afe621e16aa89c4eb42616b9
SHA2569081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023
SHA51209b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320
-
Filesize
157B
MD567f8df0c20f4d49c71a1867b1a89f2c8
SHA1d227491c0466db40dcf014e7dad76b3ad53f6b15
SHA25694937fe9d654390101bc344ae1e10ca13f02322f25813c2c91c63b99d0badd99
SHA512d89a194785091c3def6012f704b967f61b9a2f9488aa6c9fda6d1a36e67ff3bc1fa95bab340b38c3366ffc1a1fa6fa5de75449adc449085a46e024182e99efa8
-
Filesize
160B
MD5b41822ab417039eb9f4661fcdc82dcb0
SHA14fcd071ecfec7c19be56a5b647ce11660328b6a2
SHA256f79bb007154eec18621e3105e34624ebb4994bfb37d4680e4c95f8984999b160
SHA512939cb302977d37e8120094d59fba7c81bfd689d2c3cf3ea5988a1b5efeefd813e5b0bf9526132f21c2f2800c5f0e086b2bd02155dcfe5b785491a5d80c71b514
-
Filesize
152B
MD5072d722726887eaa4922cd3b2bf20093
SHA1919916c1fc22e187ff6a607dcdc1c3feecef900b
SHA2569e5fc812d19cd7e5214d1f842c9d8f8157727f2ea7b90eb52a6a336f85c20dd9
SHA51243f2a620e46b65fdedf5d4e373928c855a01b6e304347e6e9a3937e3e6cccb64ea0141e90b6cf8d9755124b2d3c45f2d30149ef7c5b1200ec0befb253c086267