6014b30bcb29b6bcc758164ee4057e84dc08180c12688e2396dd638f2142c322

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/12/2024, 18:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
Size

209KB
MD5

1a736d7a0881473473a6c5f782836e69
SHA1

9e42b57a2076867afdd47373b867ac87cba5083f
SHA256

7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8
SHA512

7e758e89292fec2d23f7b1041bb375ef0baab55571324a0c8414bd3a5332361936a552b07e27ae217bedddf777d6ae5bffff91870280b32421d6137e5905256d
SSDEEP

6144:lreOmET+k+aBChc06gTOKBJWuSml64ps7O61:MOmEHchc0HOKPWujl64pKf

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4904-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4904-119-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
2444	msedge.exe
2444	msedge.exe
2920	msedge.exe
2920	msedge.exe
1116	identity_helper.exe
1116	identity_helper.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2920	4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe	82
PID 4904 wrote to memory of 2920	4904	7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe	82
PID 2920 wrote to memory of 4576	2920	msedge.exe	83
PID 2920 wrote to memory of 4576	2920	msedge.exe	83
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 4000	2920	msedge.exe	84
PID 2920 wrote to memory of 2444	2920	msedge.exe	85
PID 2920 wrote to memory of 2444	2920	msedge.exe	85
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86
PID 2920 wrote to memory of 3468	2920	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe
"C:\Users\Admin\AppData\Local\Temp\7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/PTCheatzz
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb3346f8,0x7ffbbb334708,0x7ffbbb334718
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9316097912319987278,3591665284509283997,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.221.35
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.27.27
DNS

35.221.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.221.240.157.in-addr.arpa

IN PTR

Response

35.221.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-lhr8facebookcom
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

27.27.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.27.240.157.in-addr.arpa

IN PTR

Response

27.27.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-dus1fbcdnnet
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.27.35
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.27.35
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.27.35
DNS

35.27.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.27.240.157.in-addr.arpa

IN PTR

Response

35.27.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-dus1facebookcom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

157.240.221.35:443

www.facebook.com

tls

msedge.exe

20.3kB
146.3kB
100
142
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
2.9kB
9
7
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

28.7kB
991.5kB
530
804
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
2.9kB
9
7
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
2.9kB
9
7
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
2.9kB
9
7
157.240.27.27:443

static.xx.fbcdn.net

tls

msedge.exe

3.2kB
23.1kB
35
44
157.240.27.35:443

facebook.com

tls

msedge.exe

1.7kB
4.0kB
14
13
157.240.27.35:443

fbcdn.net

tls

msedge.exe

1.9kB
5.1kB
15
17

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.221.35
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.27.27
8.8.8.8:53

35.221.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.221.240.157.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

27.27.240.157.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

27.27.240.157.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.27.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.27.35
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.27.35
8.8.8.8:53

35.27.240.157.in-addr.arpa

dns

72 B
125 B
1
1

DNS Request

35.27.240.157.in-addr.arpa
224.0.0.251:5353

510 B
8
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
4404d1636325ed45035e665a4ed2bb79

SHA1
594afba4b6a8ed9805c111ca0f57adcdd0d5d847

SHA256
b7401883cec28ae053387558c6a378745213dd6b984700de272ab8c7f8a78bd7

SHA512
37ef2f531d13aa60ae1c4c0f60294f65644b97896a51bb44264c9e10ccd65857bd9f1a0561a9415eb37b6bd022c0a8829aef7f2545594f29a6e5426c4ea091d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
ef38235b738c75be474e407925422843

SHA1
08e5132051e95367daf1af589e9426fd219dd95d

SHA256
ba991d1ad86d0420bf56a926fb1f1548a0f55cff6464b5ac282a5d35e2b7c6d5

SHA512
50426707ce90a4bb0a823df7726cdf821fd577490fb911f399560e3739de77e6d993dd2ca5ac31a4a996a7eda281638458fae1112cdced28f18d9fd4b11cb106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54606f6a399b6da8a00e88e751a2e782

SHA1
0a04e5a7d29bcc31dbc4a37798a85aaa471b8341

SHA256
4e6d21fdae545279edc7c47951ebb0adbd2a9eee6fb46d57975ae8ff37b1d9d7

SHA512
afcd7dc0b2eac84b13c22d296985d58d110bd2146e963d185f4acd322cc26a55ab2080225a1899c1e2cb559824910a9809fb431c4568fa795b1dca13709594ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8229d2dbf25d95195c5b34ef10582466

SHA1
f5d0208afcb516b925371d6869692b924e687ba1

SHA256
b5830c16349ee18c2fbba4ad85944f0b05bf2bb6cb78c14a63c8f46fbc22d145

SHA512
833d2053119f01291b898b80718c240fb4268f6066226e3a7b878c0024c26b3b8d96833cb71bc7125166b484f10d6377a9ad3bc06afa24fccc7fea11a0f695da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
299428e502dd280b2ab4b91f3dd8cb3b

SHA1
65ea26ac4f5fef4aa6c76181b79344b64bcda143

SHA256
b7beaaaaa9fa11d8046dc07ce01546dd5bb82fc112ed578d497a56410649fc6f

SHA512
637428bcd5c686972dede13b1f069ccaa27187953ca042c84ab7231776406548a0c770aeadd0e5146335a44f086942ec82b3ac37cb76e3829edbb1393e199ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
a0d03b3d047e2bd51c67235cbd44b016

SHA1
b41e0521c3219cd16dce2574c155a9690b3b94b6

SHA256
957fad49b7be863a2efd3c7d4663ca8ee42a9e020026b5f7a80b84876904ac44

SHA512
14e95f4da58636a4d9423437ab2b5a18d0f55e46479b259ea55c06d4d995b24a3307c37e0e173fd2b474fec2a6e16b2e305521aa522923a9492b362eb8165a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
1405a4f934c5e32496f9c875a376b09e

SHA1
bd461893b53b16b0fdb7df7b0235257875744c54

SHA256
227aa40c085c81deb5b09902d5be34b2519b21317ed1300a5cc5c43541272459

SHA512
5c47ba01522ce7c1858aa879e129388fc432359bd1f43ade50f96c1885b51bd2cbf968e5bfa0682607f50901fa361375ae0bcce4bd29c5230cfdaff6d5b4eadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580e43.TMP

Filesize
705B

MD5
95022dbb8bf6322364bc7d1e02177f74

SHA1
1d4b95540c60ceacb7be8d242927ba491c3b5a08

SHA256
160fa5d839af790ead0f769566e595f46aa1317644152d3613c032cf57c2ab9e

SHA512
925915176806a28f20da0d477d2e807ccef46bf180392adcf9fbaf8036e4bc3834eaa19436fc1f1ada6f53f09ace18d2356b8519947a2f738212baff2a15f0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5ea66fbcb5343bc37a4ca32515e62e08

SHA1
5fb247e822418ce06585165b7b61a119d96e0ef6

SHA256
dbbda5e6bec28d7307e459f69687a7e6c5cf6c476d3e83fa8a03ad88b3e11db3

SHA512
664e6b99b52e50dc76ff5df85dfec93e8eccf09ffbeb137dfb95b2ae320b5a67ae80ed7711b155ed75fd1d290df000748ce938fa15e47d8def509e4c3875cb29

Download Submit
memory/4904-121-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4904-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4904-119-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4904-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.