Analysis
-
max time kernel
147s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:05
Behavioral task
behavioral1
Sample
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
Resource
win7-20240508-en
General
-
Target
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe
-
Size
858KB
-
MD5
ab816e184fb037214548c813795ede45
-
SHA1
19ee539d547e67119f0314a261c7220bf5a8399f
-
SHA256
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3
-
SHA512
70464e04a7c6777836c35354b5e28ea3fa41adbb498d268756d42b341752962fb055769302cc17cc38ea1c19c053dda0c9f8b3fb469fdfb7993802d2f875a933
-
SSDEEP
24576:/EN973phvt8tmUdkw1xG8fFjGMaOnO+pwFL9N09PPP:/EN973PvEL2wHBODLcPX
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1316-1-0x0000000000130000-0x000000000018E000-memory.dmp family_agenttesla behavioral2/memory/2996-106-0x0000000000400000-0x000000000045E000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation mighost.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation mighost.exe -
Executes dropped EXE 4 IoCs
Processes:
mighost.exemighost.exemighost.exemighost.exepid process 220 mighost.exe 2996 mighost.exe 388 mighost.exe 1596 mighost.exe -
Processes:
resource yara_rule behavioral2/memory/644-0-0x0000000000860000-0x00000000009FE000-memory.dmp upx behavioral2/memory/1316-7-0x0000000000860000-0x00000000009FE000-memory.dmp upx behavioral2/memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmp upx behavioral2/memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmp upx C:\Users\Admin\cdp\mighost.exe upx behavioral2/memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/2996-112-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/388-176-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmp upx behavioral2/memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmp upx -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmp autoit_exe behavioral2/memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmp autoit_exe behavioral2/memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmp autoit_exe behavioral2/memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmp autoit_exe behavioral2/memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmp autoit_exe behavioral2/memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmp autoit_exe behavioral2/memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemighost.exemighost.exedescription pid process target process PID 644 set thread context of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 220 set thread context of 2996 220 mighost.exe mighost.exe PID 388 set thread context of 1596 388 mighost.exe mighost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4460 schtasks.exe 880 schtasks.exe 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3040 msedge.exe 3040 msedge.exe 1448 msedge.exe 1448 msedge.exe 3660 identity_helper.exe 3660 identity_helper.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exemighost.exemighost.exepid process 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 220 mighost.exe 220 mighost.exe 220 mighost.exe 388 mighost.exe 388 mighost.exe 388 mighost.exe -
Suspicious use of SendNotifyMessage 33 IoCs
Processes:
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exemighost.exemighost.exepid process 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 1448 msedge.exe 220 mighost.exe 220 mighost.exe 220 mighost.exe 388 mighost.exe 388 mighost.exe 388 mighost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exemsedge.exedescription pid process target process PID 644 wrote to memory of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 644 wrote to memory of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 644 wrote to memory of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 644 wrote to memory of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 644 wrote to memory of 1316 644 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe PID 1316 wrote to memory of 1448 1316 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe msedge.exe PID 1316 wrote to memory of 1448 1316 1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe msedge.exe PID 1448 wrote to memory of 4256 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 4256 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2060 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3040 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 3040 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe PID 1448 wrote to memory of 2096 1448 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"C:\Users\Admin\AppData\Local\Temp\1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10430030281588601351,13312045209064427464,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5412 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b5231db9ecf854eff2ac1709f121a6c26c263e4b7975674c61bf6de705227a3.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\cdp\mighost.exeC:\Users\Admin\cdp\mighost.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\cdp\mighost.exe"C:\Users\Admin\cdp\mighost.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\cdp\mighost.exeC:\Users\Admin\cdp\mighost.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\cdp\mighost.exe"C:\Users\Admin\cdp\mighost.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mighost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b83647184⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn TRACERT /tr "C:\Users\Admin\cdp\mighost.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c875062a122b471654601b9fc34bd9d7
SHA195e2630dd275ab116851ab9d15a4431cb448441c
SHA25649065a2cc3cc4e4ca43dde5958149ab1fa16c87c409f01f4b52f72f15fb10972
SHA512f1ec30337678eee26d67766db1e26e2f8296d0a5c7b03cd8a7423f403e8f48625fdb2d077899399c1b526af4da28fbd8b1363783fb1288d8bcc6fbb413980233
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5344f0058b0a474083a135094fc82c5cb
SHA153d66635a0c8402a25c8b3deb6b8e986bf501c5a
SHA256235093ad929ed2d80327de00fed648e39720a4978dc31358f5021fca37235dad
SHA512a9ad572a0c34b324c39e6b8f677b44b279a5d80ee788159a50171af063371682ae38e3042ac3da21c339114281e7280bbb457308a7ed0a1d83e4fce79538dc14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD59270f7133f52cde354c8104aa55053a7
SHA1ce1d7c054f89602cb75fb565373eb89bd7a9d4d5
SHA256055ea5b3b0513e011a9d8bd3d76a44e07e7bdb8054712f4bfcd4dfd42d5f51ac
SHA5122896acaab10b6501ea879ce3b10ace2cab701190a02586ffb74af6d3b8837c6d6b3aef030c971e2c35dd8870139c96eb9ba29f77f09d376cc469057ce23aa92c
-
C:\Users\Admin\cdp\mighost.exeFilesize
858KB
MD5ee700f0fb6ef98edeffcd02d07d70dd7
SHA133a8403b3528471be660c940a4155a0393a0f0bc
SHA2562cb84f35f185872f50c03cd64b6d2cb85fb9a92575d75341b334197ef450ba74
SHA51259a2b0da3c8da8ea6082b842575d5131962667d7b93c060ffdc5649cb088be8804479aabe7ae0ecae77bd8132f929a5ad3074faad8f3cfafc9a9506d5ceec328
-
\??\pipe\LOCAL\crashpad_1448_SXCSUNWYJEFBGVAKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-140-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/220-104-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/220-121-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/388-176-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/388-215-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/388-218-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB
-
memory/644-49-0x0000000000860000-0x00000000009FE000-memory.dmpFilesize
1.6MB
-
memory/644-0-0x0000000000860000-0x00000000009FE000-memory.dmpFilesize
1.6MB
-
memory/644-32-0x0000000000860000-0x00000000009FE000-memory.dmpFilesize
1.6MB
-
memory/644-6-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1316-1-0x0000000000130000-0x000000000018E000-memory.dmpFilesize
376KB
-
memory/1316-7-0x0000000000860000-0x00000000009FE000-memory.dmpFilesize
1.6MB
-
memory/2996-106-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2996-112-0x0000000000950000-0x0000000000AEE000-memory.dmpFilesize
1.6MB