Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe
Resource
win7-20240508-en
General
-
Target
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe
-
Size
2.6MB
-
MD5
5e1bdb42ba791951c91fd7d3dfc7cf70
-
SHA1
b9fed0cf7ef7a9e5232c4a24acd60e9901234ad4
-
SHA256
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467
-
SHA512
f7de506c97ddbef58e2e59f7ee9cfc42d2499a83d801108677abcb7aefdf6821e843ac61796a29fc63fbd3adc77d4e94a9d51aeefd5d52fc291a05c7a7742ada
-
SSDEEP
24576:+A8vyrepIND/0bfSPdaYXRFT3KR+h+8fEvdDrGnrdEROGHOhdYiWdCMJ5QxlpYCi:+A81IJPf1lEvdDqnroHOwiW0MbQxJHO
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exedescription ioc process File opened (read-only) \??\G: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\H: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\V: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\W: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\S: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\U: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\E: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\I: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\J: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\M: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\N: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\B: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\K: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\Q: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\R: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\X: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\Y: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\Z: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\A: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\L: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\O: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\P: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe File opened (read-only) \??\T: 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2780 msedge.exe 2780 msedge.exe 4880 msedge.exe 4880 msedge.exe 1088 identity_helper.exe 1088 identity_helper.exe 1388 msedge.exe 1388 msedge.exe 1388 msedge.exe 1388 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exedescription pid process Token: SeDebugPrivilege 4560 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe Token: SeDebugPrivilege 4560 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe Token: SeDebugPrivilege 3756 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe Token: SeDebugPrivilege 3756 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exemsedge.exedescription pid process target process PID 4560 wrote to memory of 3756 4560 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe PID 4560 wrote to memory of 3756 4560 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe PID 4560 wrote to memory of 3756 4560 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe PID 3756 wrote to memory of 4880 3756 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe msedge.exe PID 3756 wrote to memory of 4880 3756 51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe msedge.exe PID 4880 wrote to memory of 320 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 320 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 748 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2780 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 2780 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4992 4880 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe"C:\Users\Admin\AppData\Local\Temp\51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe"C:\Users\Admin\AppData\Local\Temp\51afbaedc7250c3e66a7877f92c02b2ac42bafe2528e4784200786b15a872467.exe" Master2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffe776646f8,0x7ffe77664708,0x7ffe776647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8676146005697326470,15167481349066063621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD585b10e485e3a9e05d77d83c5d99997d2
SHA1953781133d3c3b67b0f4509a02b371e8eecf035f
SHA25646854167bf3b08fd7389ad18d1c738b5a84a6e4ec9588b4564b735b22ddd218e
SHA5120ab6219e299e2ebe0f90e27641747aafa8f94b7888f88a3cbcf0f83d58f39ebde8b492282cc8a808e2a41965eab2417af1e04a6d5bffff04c2f903094bcb43fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b0480c3e59512bdf3209e33d1903ebb8
SHA152a61a5b44bedaa1657eef9a4b67dee2c1f0cf5d
SHA256a1df5eee672bf95067506457b1bd1ab8377f5d5a7ea029ceef742271c231161a
SHA5122089ea79cf8c2be921081a93a2338127cc1e71c0605fbcbb748de683bb66ec27d85799a81855c435037a6c231c0da7f9331257b5e5cab162878f3a83cb8ca069
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD541cb30a412995c388ad3baa1cc90bd40
SHA1f8c3abd520534f1b731ee85fe31eb22924f4982d
SHA256df8deed395cde64d0e7110fa0fd9a88765d2c4b07fd9830e211c0f33a0b0e906
SHA512863a02f436376077acda63c3d603749d4e868a6e40b528158909cafd808a92a7d6ad7c281c18e1cb752d4f9fec3fbbfd9688ed3a0235913766423e72311ae835
-
\??\pipe\LOCAL\crashpad_4880_RCXMUHBGTIQNHAZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3756-2-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/3756-5-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/3756-8-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/4560-0-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/4560-1-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB