Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 22:25
Static task
static1
General
-
Target
2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe
-
Size
652KB
-
MD5
137278ef2bde70e41d136b9c6cd348b7
-
SHA1
0e8bccd3483b46792528ef883bdcf8c7d71e8a33
-
SHA256
0b83908a50084deba090cd763582f0c743c5071f0a0aeef600111bdefb59e4a0
-
SHA512
fae17fc33fd32ce99642884e2529ab5fc732a1382213360baecb17cedf47f62f423e35beace1dd17063d273cb1152feda8d7c05ed389f6b7fb5c6d5e5a029787
-
SSDEEP
6144:XQyk1xZBq65kzLy9tEoEtKE0rWWrB+BhK629PRAY8:XQy2Zo65kzLy92oIt03rGI0
Malware Config
Extracted
phorphiex
http://185.156.72.39/
http://45.141.233.6/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
l9n7b5f2r
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.156.72.39
Signatures
-
Phorphiex family
-
Phorphiex payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000024227-175.dat family_phorphiex -
Downloads MZ/PE file 2 IoCs
flow pid Process 93 3652 8424.exe 3 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe -
Executes dropped EXE 5 IoCs
pid Process 3652 8424.exe 1468 421510305.exe 1632 syscrondvr.exe 3220 syscrondvr.exe 3204 942711417.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syscrondvr.exe" 421510305.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1052958116\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1955620446\keys.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1955620446\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_438841068\deny_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_438841068\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1052958116\sets.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1955620446\LICENSE msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1955620446\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1955620446\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_438841068\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1052958116\LICENSE msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_438841068\deny_etld1_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_438841068\deny_full_domains.list msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1482588259\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1052958116\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1052958116\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1482588259\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5404_1482588259\typosquatting_list.pb msedge.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\syscrondvr.exe 421510305.exe File opened for modification C:\Windows\syscrondvr.exe 421510305.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 421510305.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syscrondvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 942711417.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921671735440232" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342576763-1998465526-3870295501-1000\{8C1CDBF7-D6D5-450D-A238-7EFE2D4AAB82} msedge.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1060 msedge.exe 1060 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 5404 msedge.exe 5404 msedge.exe 5404 msedge.exe 5404 msedge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5404 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 3652 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe 85 PID 1184 wrote to memory of 3652 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe 85 PID 1184 wrote to memory of 3652 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe 85 PID 1184 wrote to memory of 5404 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe 94 PID 1184 wrote to memory of 5404 1184 2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe 94 PID 5404 wrote to memory of 4596 5404 msedge.exe 96 PID 5404 wrote to memory of 4596 5404 msedge.exe 96 PID 5404 wrote to memory of 1808 5404 msedge.exe 97 PID 5404 wrote to memory of 1808 5404 msedge.exe 97 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 3760 5404 msedge.exe 98 PID 5404 wrote to memory of 2700 5404 msedge.exe 99 PID 5404 wrote to memory of 2700 5404 msedge.exe 99 PID 5404 wrote to memory of 2700 5404 msedge.exe 99 PID 5404 wrote to memory of 2700 5404 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_137278ef2bde70e41d136b9c6cd348b7_black-basta_cobalt-strike_hijackloader_satacom.exe"1⤵
- Downloads MZ/PE file
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\8424.exe"C:\Users\Admin\AppData\Local\Temp\8424.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\421510305.exeC:\Users\Admin\AppData\Local\Temp\421510305.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\942711417.exeC:\Users\Admin\AppData\Local\Temp\942711417.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3204
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ffcb668f208,0x7ffcb668f214,0x7ffcb668f2203⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:33⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2260,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:23⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2616,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=2736 /prefetch:83⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:13⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:13⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4904,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:13⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:83⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5016,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:83⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:83⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:83⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:83⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=124 /prefetch:83⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5972,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:83⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:83⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:83⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:83⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3660,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:83⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:83⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6488,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3872,i,11054394738043764405,12499646599835852177,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:83⤵PID:3568
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:5392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\syscrondvr.exe1⤵PID:3776
-
C:\Windows\syscrondvr.exeC:\Windows\syscrondvr.exe2⤵
- Executes dropped EXE
PID:3220
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
84B
MD5e0909520982fc48e47a6451443b11741
SHA10e46425274933c153ebf5a03f25e693267a8cea2
SHA2562e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA5123fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8
-
Filesize
117B
MD5ec2d07974ef45152a83c82d09a08e138
SHA1cdfca8778648c74844b359b2d0f1d405302de8f6
SHA256bd6ad3cd015f36a4958892945f666703aeb10b2999422f58b699ba2d0895fa87
SHA512a9ec4562f90d2400229c6b30259ba569181398e20ede3dee4e8199a3c46f7607de5f78ab2ca115d83e7296f4e373625790ebe00108f1d0568b8f6f42cbc26dde
-
Filesize
79B
MD589217e000f3145a2523e43f947208e79
SHA1cd7915d003ee87f2babc9ee9add12841022710ac
SHA2566722a860c855cf94a54fd1ffdd3801c4c949f5b67d8601ad300264931057f2bb
SHA512385257ef9c67d80006eb350ac79718f30e08d810a1568454806f2505b482e0093f784d0d4cd24078317f863db500898343ce69391c0ae7fc767697f6da38eeaf
-
Filesize
176B
MD5778202dc964e7fb0ab5bed004f33fb14
SHA1932ed013275e2c1172575885246c937c7cca87af
SHA2564474f08d1718da148ddb55aeb998886c053f6539c2fee3b3b1796f3855792ff9
SHA5129105af9928af4bcceb2cdc2161137ef6b07f4b97d663bbf27086f80dd266e967a5524aa5aec3f457493a0c4b98aa092aac6bd5062e72cbd4d939402c92093948
-
Filesize
280B
MD5d17338f2e464820220821318a9c0e5f8
SHA1b9add8dc5cc83758758a5d5316b4f885bc352af2
SHA2562a11f5af7aa9cd3d6262f5db33956ce7b9037149614484f986fb6de61cef5c97
SHA5125aacea61df92c43080d7b8b69d3dad739dfdd86356c1e3eaf72a3b189bf9a20e6afc2b5e9c65839e48f1549b7f348bd2010f43b29624e03b363f5d26c404166e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD56b20943f358d0737960b7bbb1372564d
SHA107341583311b332a0c3cac6e0cbdfce2a188fe4d
SHA256a397732771100d21f0453986b3b6d325a01ae52e92e99faf2ebfde29191396b4
SHA512456449c0f46749c3ae1b61fc8d6e476d08992178e5ee59510407eaad4e6252c20447cc85682054adbaefd0a08a7870ba2d0994cfa2be23dc35742d5269155418
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580644.TMP
Filesize3KB
MD532fbe78e4ff2b6d423080aa9148763bf
SHA11ca0b33d9879623dd8995a5b2fbc15b424c4139e
SHA256d00c1b52a59a69c13b318484e5068e4abf7e9e87c6df684b0723ed72c8155d67
SHA5128c5f8617c03095aa1728d657558e02ad8f6ff7ac928d9fff9e34b87620b45ebbaa131801da95a11f3bdd5c223bbe1eb8c080a2f64c0929825a2ab4cebbc63cc0
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD53ff34d4e29435c5d38002ec2e0e76064
SHA10aa66afeea056817290b4dc994e6eabc3252db78
SHA2563eea6e3122155510215ba70ebfd72314c0e5da074bcefebc90e644a74452833c
SHA512fd9c2cfac5af5651a7ace166cc86a85a085a8a23d1814e34fcf6477fffe439df794c92266b71daf0e15fc90fb4d2a1f37f3325dd2ed99f039a8fe2802144a9f2
-
Filesize
2KB
MD5f0ec99ad2a360fe17ba5725b1c94b252
SHA153dace8e64d9965f6ce6f4cf03517327f63751d3
SHA256deca99913b1e3584e79532529ebb18e5183e205d126529bd8e1757723e8706d7
SHA512b5bf612470389a318bdf6847413cebdcb6b1e353ea6a8711942357ed90c7390561930fe8199bd68c2fb3a51198b9e23ef41fbd0b15d082f340ea6e02a112c03e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD54819c2d53c6a4145e0d39eea10a5efe6
SHA1ea77dc891fffb85fcc5a7c6c49943a0f0cf5c00a
SHA25679a3147c13d36d76c8b3ce3b76213eeee4df3bc48111c405cf2ed84e90a8a22c
SHA512fe419581ed2c10fb109b724cd2d92550cfb01383274060d4b77b6b6b26013c82d123c513ea85aadbcb0b11eae90da9e3ebe9ffb0a90a97dec74bf9d8a59c77af
-
Filesize
16KB
MD510a45d6f415b6f0176323792088bec8e
SHA1ff3be6372369baa049958a1eb45858dc8ff90369
SHA256af4a863fc354c612929d31cdf7af08253f81aa92d0cd4bc3d5523d7edce63d33
SHA51213ae0407c45f070a324fbbc26c0db83ba79d8b14994ad8fa2b748c510fdba7ee8bbfd80ab0b3d203e2fa4ff3aed68f8abf4d882a0e05f65e0ca75a141b36d5cf
-
Filesize
36KB
MD52ea43ebc89f2be111e91a7202fc5aac3
SHA111ce465e03479490817c436136ecf6a3f2b70289
SHA256ef2a403a9d52aa250683c9e8c233217ec1f2d8eb5d46fd15dc5333bc12d9a012
SHA51201b4c24f0c6c936bc71faad581ba3f3603e950e4e89c5f776d91857c8726b6e481815801c75fab54a7fc68a9a7a396f0b3e03fecff004eaa694940950f4b9530
-
Filesize
22KB
MD58fd4412319167c6b3420c5edd3960176
SHA1f3da9dea5a5e8738d3849faf5da9ec9b92aa4860
SHA2567e947e16146108bb3e7662cc30c02931899530952adefb928d2fdb311bdd2def
SHA512f1afca5d3a4113d5116827f4c94388f80e16330a5080c1bdc0e982ab12e865e374ed56a69a53f35d0c64a12db7a0d16bec91d338b6a8690a360cc9a83cf3658d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d40f3ec5-f4cf-43c5-89ac-4b65c4d2b252.tmp
Filesize108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
462B
MD5a9ed32a41f6ea90f1e04b906ee018143
SHA1193df13af2fd0c9d89f12890eaded9d2ac38ccf4
SHA256391edb827142114dfa16f832f4f1dd4016cf92c87a0c3250c80c6dbc38fdd9a4
SHA512ac600b815c2f03fd91ce51964cabe5e80f1ecefbf88d9981bbb4e5b5a3939dfa205bea3be524eca568b6e27974d1915ebe0ae73748ae081323c464daec98a24e
-
Filesize
40KB
MD5d5b282ec75ff7cdefe24930e7670fae6
SHA1e45aeddfee45cfdb703206ceed6dcd267d520728
SHA25654d666f856feb92e7dd95ac9c69a41c5c965c3e9254bea45e1859409b381fe72
SHA5124c42367c88dad36a03de13a54717d501aebef42e16737bcc184f003ae9b9ef8674411985d7454a960487204df297000399db0ef36da7e2f5fa9cfac585420cce
-
Filesize
48KB
MD5812e1dc69f819830dac01039a2b2293c
SHA12ec671a78f319008739233a4f362d3334dc58a95
SHA256d99db12baa30009daeef5c36427595a60b71debc6ec22f66831f281e395cb4fb
SHA512a9d8d11c1c6bf113c2f53a3453e13e37a6777a2b7be14289fd9f26dd33e654c5daf711686681c44b0c541907dc4043dd3ffaf6173e855e9542a0cee5658e6df6
-
Filesize
40KB
MD527e3745f90548c6ac300e17a87b2a8cd
SHA1e9a7601a719934907c4359b4f4a443fae73f24a6
SHA2564e0d3ee09bfcf0e7c5aa916ef36dab1700537c7d6e314517874dfda82e689c75
SHA51219b2060e8711123e9a4bc264d29036d779e975bef7f74a969f47f226d392016eee46d3484ef7fc748a5b236406039135f0d519b8714c7354a3b55b528d94b706
-
Filesize
54KB
MD5bed81a5ccad5a0f2ac69b6842761a59e
SHA1f60a5c56500392407d4c34e517adb5fb114b5008
SHA256f3f9e0699ad346bad89128356b06d47db0e6cd88c7f5ca8392c64936528fba2c
SHA51277f25baad6c12b7ebce10b72d2c613cc16490a806f9d7577f16838709435abccf6100c01aa2260f73a32d6546e877970a471f7d0ae162906802b786fe56aa997
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.5.15.1\keys.json
Filesize7KB
MD503f15dff10ac451682f8a308674ddf77
SHA1c723e23c49bed8a52b8f947b2cb8879a110fc94b
SHA256f967e18d5b1839ba801212f032e7e6dd92f7ba6958bc3ae9b122d9fadf2b1bf4
SHA512df8fdc89cc1e6f2edce49b41bd9f71dc7f7a8daab40f1355415119f9c0a0d5067337d966472ad49f855ecb9a89bee8d1711d8a869589a03e469530ee8d7e0f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.5.9.1\typosquatting_list.pb
Filesize67KB
MD5a50b46aa311787328482750c251d2633
SHA1eaa327f9a89e5ec13301979f4ce49a36fc871049
SHA256019b9efc88e3e5939912472d7a9e43a8d9b675fff7ebf9b7b445042f6de4b721
SHA512a6820b29aa645abebeca3683ceb91372d69d8e589859e03f653ad6b2f3470ce2248603ce265c5d11f3da4833776d22493f3371e8e297591b678fa364bb5dc149
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5ffa968bec47aca85c15c55b9cef2af23
SHA1d4fd63bf3c859a0c52c2f4eadc53dd916f201a70
SHA2569834bd9929116eddcd1262b2a85616b33ce33d8eed232eb0a4ec93ae091d7097
SHA5124c55e2ad87a2c2f2c206858a03b35b5c9577b1b9182f5f6d08db5b8ad99317fea62f26a797bf041f538f12451d9b58bf4f759978d9f190a43bf643bb35bcb716
-
Filesize
80KB
MD5f30fdbf3448f67cbc3566f31729cb7a6
SHA1fbf005c38f4a1c2e86817a2cb70406fc241f2c90
SHA25681783b558904becc5b86553faba9525070de5f43339766eb1c025bcfbfe1eef8
SHA512b428df2c8f8b4a002c8d7e1bfd9926e5cf95ee998688a2c360b8551e80be5bfbfa17ef210bea35f247da4a5c8a940fb5dba49f4786da9a74e5d001b771c8e9a8
-
Filesize
10KB
MD50ec46393976eb51f307cc11d80bae845
SHA169d4cb168f3a1b97c37a0ba1519d0adb1ff7e245
SHA256252171bdaa35d19f872c165e861b03d347a4afb85d7a03d02f8eae09d191038d
SHA512803351760e3c422e4825103235e13085004b3418b483a2c646aafaef62b7212a1ba4ed28469134a236c5b6121e6a748ba958bbae2dbe4afe9f9f45704928d31f
-
Filesize
10KB
MD5c08cfa523c9377d3ae24fdb373b3ae13
SHA15289219770ad28b0fa4f0bdd91817f76bd6be222
SHA256326c70a965d4e642275c26cd913e268b1db89edd59b31a86ee600a7a9c664eb0
SHA512c91acd580ac832d5fed363a9a2b98b724a255d82e4fdda6eca62133feb5e60dd79a8caca36597a52bfbfa907a44208c48b15142e2e6020db219d14e970c3f57c