Analysis
-
max time kernel
1041s -
max time network
1045s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-12-2024 08:35
Static task
static1
General
-
Target
Bootstrapper.exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Executes dropped EXE 2 IoCs
pid Process 3156 BootstrapperV2.04.exe 608 Solara.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 pastebin.com 9 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 api.ipify.org 93 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1408 ipconfig.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 608 Solara.exe 3996 msedge.exe 3996 msedge.exe 3068 msedge.exe 3068 msedge.exe 1088 identity_helper.exe 1088 identity_helper.exe 4876 msedge.exe 4876 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe 1824 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3784 WMIC.exe Token: SeSecurityPrivilege 3784 WMIC.exe Token: SeTakeOwnershipPrivilege 3784 WMIC.exe Token: SeLoadDriverPrivilege 3784 WMIC.exe Token: SeSystemProfilePrivilege 3784 WMIC.exe Token: SeSystemtimePrivilege 3784 WMIC.exe Token: SeProfSingleProcessPrivilege 3784 WMIC.exe Token: SeIncBasePriorityPrivilege 3784 WMIC.exe Token: SeCreatePagefilePrivilege 3784 WMIC.exe Token: SeBackupPrivilege 3784 WMIC.exe Token: SeRestorePrivilege 3784 WMIC.exe Token: SeShutdownPrivilege 3784 WMIC.exe Token: SeDebugPrivilege 3784 WMIC.exe Token: SeSystemEnvironmentPrivilege 3784 WMIC.exe Token: SeRemoteShutdownPrivilege 3784 WMIC.exe Token: SeUndockPrivilege 3784 WMIC.exe Token: SeManageVolumePrivilege 3784 WMIC.exe Token: 33 3784 WMIC.exe Token: 34 3784 WMIC.exe Token: 35 3784 WMIC.exe Token: 36 3784 WMIC.exe Token: SeIncreaseQuotaPrivilege 3784 WMIC.exe Token: SeSecurityPrivilege 3784 WMIC.exe Token: SeTakeOwnershipPrivilege 3784 WMIC.exe Token: SeLoadDriverPrivilege 3784 WMIC.exe Token: SeSystemProfilePrivilege 3784 WMIC.exe Token: SeSystemtimePrivilege 3784 WMIC.exe Token: SeProfSingleProcessPrivilege 3784 WMIC.exe Token: SeIncBasePriorityPrivilege 3784 WMIC.exe Token: SeCreatePagefilePrivilege 3784 WMIC.exe Token: SeBackupPrivilege 3784 WMIC.exe Token: SeRestorePrivilege 3784 WMIC.exe Token: SeShutdownPrivilege 3784 WMIC.exe Token: SeDebugPrivilege 3784 WMIC.exe Token: SeSystemEnvironmentPrivilege 3784 WMIC.exe Token: SeRemoteShutdownPrivilege 3784 WMIC.exe Token: SeUndockPrivilege 3784 WMIC.exe Token: SeManageVolumePrivilege 3784 WMIC.exe Token: 33 3784 WMIC.exe Token: 34 3784 WMIC.exe Token: 35 3784 WMIC.exe Token: 36 3784 WMIC.exe Token: SeDebugPrivilege 4228 Bootstrapper.exe Token: SeDebugPrivilege 3156 BootstrapperV2.04.exe Token: SeDebugPrivilege 608 Solara.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe 3068 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3948 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4228 wrote to memory of 1448 4228 Bootstrapper.exe 78 PID 4228 wrote to memory of 1448 4228 Bootstrapper.exe 78 PID 1448 wrote to memory of 1408 1448 cmd.exe 80 PID 1448 wrote to memory of 1408 1448 cmd.exe 80 PID 4228 wrote to memory of 5084 4228 Bootstrapper.exe 81 PID 4228 wrote to memory of 5084 4228 Bootstrapper.exe 81 PID 5084 wrote to memory of 3784 5084 cmd.exe 83 PID 5084 wrote to memory of 3784 5084 cmd.exe 83 PID 4228 wrote to memory of 3156 4228 Bootstrapper.exe 85 PID 4228 wrote to memory of 3156 4228 Bootstrapper.exe 85 PID 3156 wrote to memory of 608 3156 BootstrapperV2.04.exe 86 PID 3156 wrote to memory of 608 3156 BootstrapperV2.04.exe 86 PID 3068 wrote to memory of 2024 3068 msedge.exe 99 PID 3068 wrote to memory of 2024 3068 msedge.exe 99 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3044 3068 msedge.exe 100 PID 3068 wrote to memory of 3996 3068 msedge.exe 101 PID 3068 wrote to memory of 3996 3068 msedge.exe 101 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102 PID 3068 wrote to memory of 964 3068 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1408
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.04.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\CompressShow.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86fe33cb8,0x7ff86fe33cc8,0x7ff86fe33cd82⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14802214608998964131,2313493443259829126,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3528 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4816
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
133KB
MD5c6f770cbb24248537558c1f06f7ff855
SHA1fdc2aaae292c32a58ea4d9974a31ece26628fdd7
SHA256d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b
SHA512cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
10KB
MD564e734fb7c72be58006d14ad836bec5b
SHA11f7e07decd3de82e64ff6670cc63a429d2e803e7
SHA2560a8d36d3a0ff8701682189a04035e70dd5c0b8fe910eaf40f82e1d6f27b1ab60
SHA512b122c2887edc8ffebb65607ad9e12d51dd09406ef7367ec6ca22fbccea19b6280bf7cf89dca4f802105258d19617c95462abbd950befee40d60e2f9f6bf26547
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53e337b26e3925b453283009ad40f7ab9
SHA146f203dc6351eb6cc79fd8e484b965c5c9b7900f
SHA256f07cc4d471d6880b14cb3dc51d85c02f3218af5a150edec9cb6940eeff23a25a
SHA51286cccf2d7fb6e1ce14b923002db4efdc9fb2333330b047e92393f4ebeb0b54997814f339e2cb6bfd17886e748cb5b6e3c69ef515edafa6e7a242d237b00ee66d
-
Filesize
4KB
MD588f1795024449648ac0027071fb5d159
SHA1131e761d474fead51a568a63bf721eb54b811ddf
SHA256b85119a9903a669920e798955db7e83682b141e0154794d5c105b7c365a40394
SHA512be8c9971f8375fa64891e628f9b22b3ffa2066e5ec3a2a69f4d3e0e1fd018400d44fe000fd1256c246fa504dcb5ce87a07e66d7a31648dc83d7432c5e5efd7a2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
7KB
MD558e60f07b39d015d6e0f3931346822a8
SHA17accbb9f598733d6f8850094749efee0992a01e0
SHA2564e3737d86a7be38b2585cba9a85161bdae9fd42602f7bae3204db05974209f6a
SHA512710096f6c14c60bf5a8a27e5e90fd1195d82016596467676f18ee6d1a6ba2dd37fb046a616f401fff4e77de300e49978fb50db4282492c962c9e485e7ca6c4d3
-
Filesize
5KB
MD518ac308580826a13155fc4d36ca75fe8
SHA15d7b89f39b162a9f1f019d6fe9d1076cd21bbf0b
SHA25676baee39f92c77edfa4e885c3c7e772fef4efad60e3645823d8e8ae029881997
SHA512e73269d178ba82d3545de5b80656cbd06ab807cfdc8916365699bc67cdfa629b1cddd554cfb917af0c50700f3ddc509c7b34174ef6a7130ef59fa4a2352c4bd9
-
Filesize
5KB
MD572167ac6e73bf858636984c1e72f69ef
SHA1e47a0a0be93372b60196288a5462a746a869afe0
SHA256fb213aefd5263514aaa18f28ccaa6dbf0729a176a6861ba158d087aefa428256
SHA5126bbe8f1e2b8551303ea2e4c58d70a418bae31dd9c92ee1158f6a92fb521bbf41ff729d28bd989c7ab1bea17689236dc3cb7ec4f2351072abbdc81f6a9dd09748
-
Filesize
6KB
MD5ffe8b5045d9f84da2eecb87dbfe25642
SHA156b292b18fdc94972e4bd0615c96b82e4a3d619c
SHA256a38f56208403743a92fd5935257d9f0024d32fc15345a6eb353797cbb29d8fd7
SHA512329f399d5e9f28fe61d75f2bda6c008536727b1c255324860a27ead7e1899d4edbb7f7cf6e698790e88d62ef02f3fa7e2dfa6be5b1ac15700890ad3b3f85a805
-
Filesize
7KB
MD513ba4ab57bdca1601166566e8259db9d
SHA19d062b1d68a4e83fef29d91c4931a9885bb47ee8
SHA256b6271cf840ae59a68231665de35e43ae97dc1a1ac34c79399892a1b480ae2ab5
SHA512d4483bbb2e88cdd01098e04cbb54d1e2852b4c39c48fa622ee6e8e39f3c54209367a9489f9695b6645a6a3eb75c823269f7f56a0917d3b968356edf63d642539
-
Filesize
2KB
MD59862cd6e0b86cfea8d129817b9c1d129
SHA109df17cefa26f8478205f850433f2f47096bbf08
SHA25619032475ad2e81ed4b0ca759a0640aadb531fa8e7aedf5dc5fcdc20a1301339d
SHA512aa646895cf1e0d2e2e682028fd54e7e0f073b480ef8956ca1cf9fbfab93552d275edf27635963b4d7e7a2ecaddcab375c731aec6fde3ed6800379aaf2f887433
-
Filesize
1KB
MD5e5c41d9db8d6a5cc8e8753c697b5aa68
SHA13f5a30c0029b914834c86e09d74a657af57181fe
SHA256a39b6ef1a61293c1224149083f15dde791db5e97361c4cbf9069923124422fe3
SHA5121ac8ac3274b229d14b0a896cfa5092869cc6ae55629c7e39fcb84d4b8eb38cf9fc038c570cfd0894e6e6611c4fa319e1120de0a8347a4753de63546f1f235293
-
Filesize
1KB
MD535c757122df17ff4e0553ec2651d37b0
SHA1503b09e6d6bfbcaad3191cd0fa0b2b3c5c7f31b7
SHA2567e1b286ee5cd8e8a3a801eab58ac09254bc1e6df51ff014ecd0bb1f443a20338
SHA512d384f8e90d9a295974f7c3867b7bd53f3f03049379e8bd030a0ab9efe55dd8a390746d5ca6064e267738e14f0e45e4a673633f5485a5fdfaae69dc92a7a3ef7e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5bd7566d97731e68fca15fbc6f68c4d15
SHA1707fb6004e339c2eeaff1f7577edb1c42511c31c
SHA256861056c5bff94e048957b89df929681be723d4b42d77e212c71ce4fcdd825fb1
SHA51276c7a472bcf024881daa8cc844af7d84ee45e1bd93ebeb8d19bc345755f561535d9fd1b49313049be97a7b877ebe96748d0d4f8c745779203760eb6692fafaf7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f7bdf58c-7016-4028-a011-09a406f82a94.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD577a8b2c86dd26c214bc11c989789b62d
SHA18b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e
-
Filesize
2.8MB
MD5be4da425d9b7593e358ffbfca29f9c70
SHA1dc98530aad9728d779866ae957a738c52b13a565
SHA256c5277ddb6e51181d2b8bad59acf5f2badf5613b1e73384a84b793f720aa76c0d
SHA51235790944f5855038f8357c0f6d11ea81b260632e590c26f9342e8beb1a8dfd2e3eb9efa11f8378f8542cad45e7675af3d29cf27424accf35aaa6aeb34487155b