Resubmissions
29-06-2024 09:31
240629-lhfyksvcre 429-06-2024 09:31
240629-lhafssvcra 329-06-2024 09:31
240629-lg1llavcqf 329-06-2024 09:29
240629-lf16qsxgjk 329-06-2024 09:25
240629-ldzvwsvclb 7Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 09:25
Static task
static1
General
-
Target
cd57e4c171d6e8f5ea8b8f824a6a7316.exe
-
Size
90KB
-
MD5
d84e7f79f4f0d7074802d2d6e6f3579e
-
SHA1
494937256229ef022ff05855c3d410ac3e7df721
-
SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227
-
SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260
-
SSDEEP
1536:gea4Ta4b9I3BbbHVlnOXrPBdfeISRAOl801AbcsqD95wSxdRf3:gea4Ta4JMbb1lnOXrPXe7Yhq5Zf
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
SystemSettingsAdminFlows.exepid process 3760 SystemSettingsAdminFlows.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SystemSettingsAdminFlows.exedescription ioc process File opened (read-only) \??\F: SystemSettingsAdminFlows.exe -
Drops file in Windows directory 64 IoCs
Processes:
SystemSettingsAdminFlows.exeUserOOBEBroker.exedescription ioc process File created C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ReAgent\ReAgent.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\CBS SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagwrn.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\CBS\CBS.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Timestamp.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.setup.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\DDACLSys.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setup.exe SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\PushButtonReset.etl SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\unattend.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\unattend.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_377C.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\SessionID.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG1 SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_3AE9.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_3AE9.tmp SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ResetConfig.ini SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs_intl.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupinfo SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG2 SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\Contents0.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Logs\PBR\CBS\CBS.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_3932.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\diagwrn.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.offline.log SystemSettingsAdminFlows.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2556 msedge.exe 2556 msedge.exe 2792 msedge.exe 2792 msedge.exe 1976 identity_helper.exe 1976 identity_helper.exe 1768 msedge.exe 1768 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
SystemSettingsAdminFlows.exedescription pid process Token: SeBackupPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 3760 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 3760 SystemSettingsAdminFlows.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe 2792 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SystemSettingsAdminFlows.exepid process 3760 SystemSettingsAdminFlows.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2792 wrote to memory of 884 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 884 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 1148 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 2556 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 2556 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe PID 2792 wrote to memory of 3664 2792 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=21575171⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9db173cb8,0x7ff9db173cc8,0x7ff9db173cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,14835550588384134747,4756136898742888450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$SysReset\Logs\setupact.logFilesize
109KB
MD5c747b936ec0132c406b56e25a7028040
SHA143c5c947bad2b1fb508b1d172066c1fba9e3a3e5
SHA256ef7cb21980fdf94b7d5e30ed6f383f6bf9e81f7e2a913dcc6fe81cce58b406ce
SHA512db188af40bc0601205332e3cfd94e20b7c875803e8b765ca05e2338f3e1d7c61d3b28bf2bac63acd5c004620b1a69d6082344890e99ed1cb15590016576aa4b1
-
C:\$SysReset\Logs\setuperr.logFilesize
974B
MD57a8e1013bd2585b55cf7a6249d57d056
SHA1eade2ab3fb78455306ba6e7ff977445292831020
SHA256e70bd9072b1483f8642e14b5d4e3f85ec3171246edca05e5228fc56d8f3c10cd
SHA5127803ca4f7aac7dc1b8c1b707395c246d0b5caad7438332f4acee180fb8eb27ca60c8f7cf6db421183b3610d089a5b739de17df0d140b870c196042454ca26487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD568de3df9998ac29e64228cf1c32c9649
SHA1be17a7ab177bef0f03c9d7bd2f25277d86e8fcee
SHA25696825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43
SHA5121658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56f738fcca0370135adb459fac0d129b9
SHA15af8b563ee883e0b27c1c312dc42245135f7d116
SHA2561d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63
SHA5128749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\58e012d5-0d14-4b2b-8079-9d5849d74efb.tmpFilesize
6KB
MD5193d9e37ebc83c28e914271da34c99c7
SHA1a0b13f120a880be858c990a2ad0c64fe57de84e2
SHA2560a931cd9467b1b06681230aacb67f26cfcbe2b800074ff5a900712136bbd765f
SHA512aa2c01f30e5868325d2125da4ad11523883a732e9fd964be9a7bd7246e2576dd0cafbb1a4e5138425db22ce24bc2ede2b381636377c2e81d114a44406062461f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c7d799f64a5ea8f455e1bba6e198047b
SHA17274b04d17e3c0e17121807a04ffa22245c931f9
SHA25679a80c631af091e9b78778f994d78314185023f357d3ff6319350d9c282c5989
SHA512a4e66d2b88eb1dd643bd34ba1a5ff789a805d7ce1d3c408365309d81745d762ed592afd9b17a81b8035142b7732608f0140b8dcaab0ea2c4a3e0669e807367ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d853ea51124aa4829a5ab6f35c2de3a4
SHA1f161d31e7860278510a938261ad25201b4398d10
SHA2565a61fdc260d6c89a04877915cce267e1aaf77c4b6d1abc594de38f7e83545229
SHA51220065038b07fe1bf342cfde429f5c9a3c60f3e4db77666ff1d9ed011d784d7eab246592ecd33b3993dcfc9e9e0c627d395d3f2d9a681b8d8b7805d6c3f0ec0fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5595eb33ba5228782be4422fa8008730e
SHA123faca8568f3aee1af7580a193a87729daf2aaef
SHA2568e60b7ddc851ce3db3ecbdd3ee53895249a0f139d7d6d9faae1b53c8ba5389a4
SHA512187c7a842bd55dc6d04e1628cb2835671cc96046dfdf01926ceb41d7718bd2280090374d8bbe5794c71bf7447546ada4b163b911f0f54c1b58ede888a9587a8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5bb137fe09f48e86d4e24d9cba1a7e8fe
SHA1c287bfad60b858837c6cc7da9cea63bcbe6efbcb
SHA25665ee7cf141fb05e6a014363f569f0de48f9b0ae2cb4c13427f0763925057a8b9
SHA5120951c48c4a676f26ae2e635c8eafba116d2a583de0d4453a0959b7d78e5ef49f0014d95045bd3984059aace48da5984fecddb541798ef3a700726fdf5720abdb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5179c9dfea5d75612508df4d315e4fc70
SHA139623f76601fb02dcc873cb59b978624a67c8c2c
SHA25661b7d9138c98fa429382ca67e5a34b0acdc2077c9b33fed0e2cd5ad57db6ce97
SHA51273723848f0ae6cc97c8148c57d8074fb72a7a1c1ef4d294c51a80c9376b38fd7622a7c7b1c918de4bd202e9ff6c1e5388cc325ba1129aa97d34a44f050eba1f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59065f.TMPFilesize
2KB
MD579ddeef50beef5ba9f2abdf80d7ced1c
SHA1f997957725bbcad242f941722d55d09ff7282369
SHA2566c8cc599e0412599098841e9ba225db74560464af418c4a743ff806ebb343340
SHA5126718e23512c4b7b0d7ca7655c5c0293c5a222c87140157d4ff02d1df3a04cd951c04ba8796dc0e0e3c3cb88ad6835efd8f53b68d1a8fa085e745d30e4932930b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59473aa8464e2aecd422c18693f41cc1b
SHA1442c518f6fae3a5846e6782128812ab5057a9dca
SHA2561321fb317c577f53f83666c47b7e50eb32f5dedfb8addb2496ec9ddd1f0ae8c6
SHA512800281acbfaaa8b2917e1fbd69fcb98ada96c5c5a3e6c4904498fab98551a9b5dc264225eb11e8177ada1797fc347200107beb67a72fba3c4cdaa8ad7b780817
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ec12c498689058f62df97eee22bbca94
SHA12471c4efcf92bb83a039b320995a6120779668a0
SHA25637bb0c9b4bb69ffb6af3b88f755bac648884720a4b4314d190e135906830bf66
SHA512b5beae09430ccdefd3936dc0babb6b99e67f219b4bc559fdccd5814e38ae75bfba5696eba8ce3713975f9ac489e7fd7380ac780364f3597ec7f9d4e34f453861
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-29.927.4588.1.odlFilesize
706B
MD56b1e7b2cdb94810f97498e0ce16e23b6
SHA13b750296c36492e4606ab525b7f5be7d5f4ede97
SHA256e2658ffa78434195d8e60c14564b5bd33c71a83165f0a0be1e2f2a6ea5abc227
SHA512d05d628e783da0c290e37ad9a3f9be423c85fc7d343ea4a15f7b4a5c35df3f82de0eb423ffc338ac11298f1bf077cb11820e214e585324c81b9d7e5153647019
-
C:\Users\Admin\AppData\Local\Temp\{58131396-831C-4D43-802E-3B4E953F1473}\ssshim.dllFilesize
148KB
MD53de653713e705e001c3f0be1efc51ed3
SHA163565592c266226d36604933e51725e90010da25
SHA256c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9
SHA5127db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e
-
C:\Windows\Logs\PBR\ResetConfig.iniFilesize
167B
MD5e8b67f9f170a171d59b1020f686f09ce
SHA119428a2ab0e7f64ceaf7cdc723916a9f6ebf26bd
SHA256e88065016cfd248d4d0f5199becb3d9233a4d96bcb60fa5a7c2724c2cc71ac1d
SHA5128616c3065e84f11acd8cbe57e3dc06fab843787ccccec062ec873ba7e97eeb6008cb61b2e35a71bbbdd61be800ad96af6a0dbbbcca42992ed2a5ee0681e156a8
-
C:\Windows\Logs\PBR\SessionID.xmlFilesize
106B
MD50897c121a54d16021e289f045ba1ceca
SHA1a8811cdda6b814b0ab4b807da740924f205f2e60
SHA256d19042f302ef7fdec2d4555c1e77392256c94e554b9c2dba41d14f7716306fb2
SHA5120b1ac32025899959610c5ba9d6d5fc2d55cfa7ecb9f77fabaf76c21ce09609e4bb01a8f22cd06f1a7fcacdc00bfc062092e3a6d121696ff4cab8562667184c47
-
C:\Windows\Logs\PBR\Timestamp.xmlFilesize
42B
MD5a17e03281a86ec9030e517d252e9419c
SHA19f6c13729aaa6819436e47a5d27adf6b22f22317
SHA2561fafd613e3c85d0af73f5e2d52eee671a6fadff69342e1f7fd9ac26d34e7208b
SHA512fbd37efbefe0785389106ce59bef517fc090f36cd7ad2bd3830ff6b026bb18bd07063e548dc3f7442a3be7f3dd51fead5fc07025ac44d4db9d17ce4fa7599a50
-
\??\pipe\LOCAL\crashpad_2792_NCDGBFPVRDGJGBQYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2808-0-0x000001B9BB370000-0x000001B9BB38A000-memory.dmpFilesize
104KB
-
memory/2808-3-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmpFilesize
10.8MB
-
memory/2808-2-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmpFilesize
10.8MB
-
memory/2808-1-0x00007FF9DDFD3000-0x00007FF9DDFD5000-memory.dmpFilesize
8KB
-
memory/3760-230-0x00000202D2CF0000-0x00000202D2D81000-memory.dmpFilesize
580KB
-
memory/3760-27-0x00000202D2CF0000-0x00000202D2D81000-memory.dmpFilesize
580KB