metasploit | 104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
Size

1.8MB
MD5

c4ecb069115fb3097aaff4a91dabc8e4
SHA1

bb10418a36aa237f6010e10e010e4f7e4d292cf3
SHA256

104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472
SHA512

958c6d375597597f2cbfd8e5f3f89286fe90641c5f5146c1b49f6c02f716f11a04669a4941da676b87bd628d5e251bd9e483c977c358c46a7a90fac429d6a1ac
SSDEEP

24576:/3vLRdVhZBK8NogWYO09QOGi9JbBodjwC/hR:/3d5ZQ1AxJ+

Score

10^/10

metasploit backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

1.15.12.73:4567

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\Z:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\H:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\O:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\Q:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\X:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\P:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\R:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\S:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\U:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\E:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\G:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\J:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\M:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\L:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\N:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\V:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\W:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\A:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\B:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\I:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\K:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
File opened (read-only)	\??\T:	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
3968	msedge.exe
3968	msedge.exe
1520	identity_helper.exe
1520	identity_helper.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
Token: SeDebugPrivilege	4400	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
Token: SeDebugPrivilege	3880	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
Token: SeDebugPrivilege	3880	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3880	4400	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe	83
PID 4400 wrote to memory of 3880	4400	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe	83
PID 4400 wrote to memory of 3880	4400	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe	83
PID 3880 wrote to memory of 3968	3880	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe	85
PID 3880 wrote to memory of 3968	3880	104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe	85
PID 3968 wrote to memory of 2516	3968	msedge.exe	86
PID 3968 wrote to memory of 2516	3968	msedge.exe	86
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 2740	3968	msedge.exe	87
PID 3968 wrote to memory of 440	3968	msedge.exe	88
PID 3968 wrote to memory of 440	3968	msedge.exe	88
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89
PID 3968 wrote to memory of 4296	3968	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
"C:\Users\Admin\AppData\Local\Temp\104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe
  "C:\Users\Admin\AppData\Local\Temp\104d56a1fbf8bfe0a1f9192084ad5c79741cbe977576c3a6ef050eb6ddf5a472.exe" Admin
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffec9e346f8,0x7ffec9e34708,0x7ffec9e34718
      4⤵
      PID:2516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:3540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
      4⤵
      PID:164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
      4⤵
      PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
      4⤵
      PID:1292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
      4⤵
      PID:756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18273708724381974058,11780911121804236014,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
87d8a9dfacc945d20822bb98eb18246a

SHA1
ded760637776f1b0ab5c51060fcab4aa91f9aa69

SHA256
9ff87785bebd7b49a1c36830b1a224e8807b09b61b23d5c271efc32845e527ea

SHA512
0ad2226a99c92297373c9d0d9df6804ae511a11bab7f48a7e84a738cb6f96a3798446865f0a877eb19a3dac58c6ca4aba272ceef234f4a9247eda79eac15c643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef26608f67adc27f1a97ff0f4da8938e

SHA1
a53a2a0e6598b08f3d8d2f41eab8864e7b8101f2

SHA256
d92fa11751d042027694d200bf246949185ac8a2f2016f7b19fdafcbc4c624db

SHA512
7c2040d7fca3e3c780dd65718d4a44c66420b0c1278042e22ce5f55c60908fb6830bc54896891bb98243c75cb0cdd2737eae1ebeb884d01228b9131fe94328b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9620ea1d2e01e93ce91b42aab077d8c3

SHA1
b5b6f809fd1462490c7db80c540b17d769d1e86d

SHA256
cb11dcb5eb30feb0b4313dfcbc648aa2d09147491b9865c0d4f1e57ca30c98b4

SHA512
78bdf9baed5c360069278863d272d352c172d16e3617a51ff76a47add45b86b544e4d2243b7c8d54d59e79051aa7e046af0a42444560634db5eb7f5c79096372

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
memory/3880-6-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3880-13-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3880-11-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3880-10-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3880-9-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4400-0-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4400-4-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4400-3-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4400-2-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download