3f75f1a057013b0fd0696515c92745e88113ac14700e52341331b43b0afe9782

Analysis

max time kernel
129s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Payment Settlement for Inv #262495.html
Size

2.5MB
MD5

df0f100780a15788435df98da5faefd7
SHA1

adf9376461f80103e6c03d79cd55b72e140fe997
SHA256

3f75f1a057013b0fd0696515c92745e88113ac14700e52341331b43b0afe9782
SHA512

028156af22e99bbb4326acf8b102a24ec7ac47537eb24b9c051180f5a32710da819a4d635dfc92bbd8790ec541c4d664d315539e3a55297907fb18588be97fb1
SSDEEP

24576:7Aj1Oi5wWRddls4N0E5RYfttMHFawAWZxE3FznM2CX6Sv0gdm:Z

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\41340dfe-7ab8-4151-80f6-c4bedb9550dc.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220923185001.pma	setup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000009def25d391da234fd27bdc6d3530bc65676c2e20a875acf7caa16bc6f30bd4bc000000000e8000000002000020000000fde3e9cfe9f6ce843158bd4bd01291447c948bdb2766df9f71ce193fae0cef74200000005d08900aa9b59a69f65deabd762cf8ebba325d91fd1341e3db312ebbcd88481240000000916fc75918bb40029a656f8638b68b8ab2d8686a57edde8aec712117ca214fecf757b86daa47e3ead9af4ea93d5eb6891d7114800fcfcdc676ba779f8eaf0bb6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000d2fdc6a18e13fd2fdcdbc32b8cf017484214c3f8d3e7f555815f1c0ece061c3f000000000e80000000020000200000009ee0d1575757ae34d75c155151fa9499fe1bf6c4e2a0eeb443fe53adfe7ad9e620000000cd6fe86af981228980c5bdfdffcec0de7b3cf4fe51a8ff117d15fd9f6b5e2345400000009f2a63e972d9250f44365ca048481d01723f00d61c9ed7b41bfac6f1173c59ef9d3e9fa33bf7c6f615eea4cdd1b67f89aaef77ce9fdc6beb8b2577a28911fd3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "493711873"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986109"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f414227dcfd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986109"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370723874"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "493711873"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986109"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "533247392"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09c06227dcfd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48ADDCEF-3B70-11ED-AECB-F22D08015D11} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3228	chrome.exe
3228	chrome.exe
5464	chrome.exe
5464	chrome.exe
5616	chrome.exe
5616	chrome.exe
5964	chrome.exe
5964	chrome.exe
6024	chrome.exe
6024	chrome.exe
1564	msedge.exe
1564	msedge.exe
6132	msedge.exe
6132	msedge.exe
1704	identity_helper.exe
1704	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1180	iexplore.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
3228	chrome.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1180	iexplore.exe
1180	iexplore.exe
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2076	1180	iexplore.exe	82
PID 1180 wrote to memory of 2076	1180	iexplore.exe	82
PID 1180 wrote to memory of 2076	1180	iexplore.exe	82
PID 3228 wrote to memory of 324	3228	chrome.exe	100
PID 3228 wrote to memory of 324	3228	chrome.exe	100
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3616	3228	chrome.exe	101
PID 3228 wrote to memory of 3684	3228	chrome.exe	102
PID 3228 wrote to memory of 3684	3228	chrome.exe	102
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103
PID 3228 wrote to memory of 3260	3228	chrome.exe	103

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Settlement for Inv #262495.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff74844f50,0x7fff74844f60,0x7fff74844f70
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,6058050850034076778,17744617948853325159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff759f46f8,0x7fff759f4708,0x7fff759f4718
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3256 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff78ac15460,0x7ff78ac15470,0x7ff78ac15480
    3⤵
    PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7108543585484077319,7835085355381288077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
86a088ce1e61044017336da9c2f25ce6

SHA1
5023e4cc5258eb752b9142b25cfc991b8105ee5a

SHA256
8eb29c206cc2ff6d97037c34ab74ab7224d5fdc0f5a6953fd4f11e4665c1fa1f

SHA512
533a48b55b7fa6b9f0917e3b8a8acbb4463b03d31c6d9194eeb742c5a3888903c67edb6947dc119874e291c11f5e1daa54cf0314cb80529a7ed332308433a3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0a8ccb22b686f8477bd7c0815474980f

SHA1
4a8127d2f3e3840737696dbbbae0bdaea33da790

SHA256
1792128e4ffcb7422d38888abd7879f2958acaebddd325a27a2144bea963e825

SHA512
53cb292ad44cb41d9f1e68d4b532a0fb6396b74a86edb2c95033d27620f60b58b6c45ba97291f8397a07a6556952f611901b88bd1983027197555983093738f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
bdac7729299781ae94be4ac6a3cdc756

SHA1
053cf0473589f20fd2db3c8535e56e34b6da6933

SHA256
bfec86c8d3d5928afad2ef0064d78e4a3d1a8bf5b657583135fa2558ef0ccd6c

SHA512
c43c2bc20558c8cd5d19b026bbf091f335cbc2a3c5b0a8e0606b6724e938855239a952692d59e942e77e578ba0c29c60b50d8d4d693d2c5f3a02ff2d3ba306a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
551db6a9c594a6eafefc3ee3c7f3eaf5

SHA1
c63e3154cf3ccaae762ab506d9706e21fb5fc46b

SHA256
ef8b8b34e2f6837453e315cc1a877751fedd14ae728749f005f0f9986dd9a713

SHA512
aaf7784727e04dea6059bb94bcbc5fbe9b8a841e9057f425e6c4479a831ed3d8d404b23178b6b2ab7babd817285c3a67b2f50ce6db948958dbcbc4dcc5c8ccac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
94KB

MD5
c4a278c5438a506222b3e8ca5f09c430

SHA1
f98cc42e1194c53c4f89b8e9b77586e2478d83d6

SHA256
b40cbd31088f190b05ec8cacf248a8cb67961b12d5f95310cffd236960cc9b4c

SHA512
536069cdacb3811dd0873fabdfbe413ca7b657d4abf3f4aadf60668dd72ffae874ef19a02f9573d92ff56e1906a17bee731c93a76bd30d40ce498a1068d60eaf

Download Submit