f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f

Analysis

max time kernel
146s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
Size

566KB
MD5

519326c59b148171f46535c4dc22dc76
SHA1

6faec1ae10c597455ff6768425c3c57aa31fd855
SHA256

f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f
SHA512

6ba4e65739617f2d174bb3bd840ca8d81e1d5cfc4e6849d876a281f01c78ac5a20e22132542f1c0b7dc20e6be24495cdca623121a4a2c410be9f48fefdade903
SSDEEP

12288:e0nyfXuIBDtfuRhKzh5jOZ03O21JDM7eAc/cIkj1LJ+Ul5yxWA9:rny/f9uRhKzT53Bhhkj1LyD

Score

8^/10

microsoft persistence phishing upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

p3suy.exep3suy.exe

pid process

1284 p3suy.exe
2388 p3suy.exe

pid	process
1284	p3suy.exe
2388	p3suy.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/856-139-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/856-141-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/856-142-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/856-144-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/856-143-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/856-150-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 2 IoCs

Processes:

p3suy.exevbc.exe

description pid process target process

PID 1284 set thread context of 856 1284 p3suy.exe vbc.exe
PID 856 set thread context of 2388 856 vbc.exe p3suy.exe

description	pid	process	target process
PID 1284 set thread context of 856	1284	p3suy.exe	vbc.exe
PID 856 set thread context of 2388	856	vbc.exe	p3suy.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bd7bed10-66c4-489f-b8f5-9f8e06852502.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202135038.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3596 PING.EXE

pid	process
3596	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

vbc.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
856	vbc.exe
856	vbc.exe
3344	msedge.exe
3344	msedge.exe
3444	msedge.exe
3444	msedge.exe
2672	identity_helper.exe
2672	identity_helper.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3444 msedge.exe
3444 msedge.exe
3444 msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exeWScript.exep3suy.exevbc.execmd.exep3suy.exemsedge.exe

description	pid	process	target process
PID 5108 wrote to memory of 4972	5108	f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe	WScript.exe
PID 5108 wrote to memory of 4972	5108	f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe	WScript.exe
PID 5108 wrote to memory of 4972	5108	f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe	WScript.exe
PID 4972 wrote to memory of 1284	4972	WScript.exe	p3suy.exe
PID 4972 wrote to memory of 1284	4972	WScript.exe	p3suy.exe
PID 4972 wrote to memory of 1284	4972	WScript.exe	p3suy.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 1284 wrote to memory of 856	1284	p3suy.exe	vbc.exe
PID 856 wrote to memory of 548	856	vbc.exe	cmd.exe
PID 856 wrote to memory of 548	856	vbc.exe	cmd.exe
PID 856 wrote to memory of 548	856	vbc.exe	cmd.exe
PID 548 wrote to memory of 3596	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 3596	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 3596	548	cmd.exe	PING.EXE
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 856 wrote to memory of 2388	856	vbc.exe	p3suy.exe
PID 2388 wrote to memory of 3444	2388	p3suy.exe	msedge.exe
PID 2388 wrote to memory of 3444	2388	p3suy.exe	msedge.exe
PID 3444 wrote to memory of 3260	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3260	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3684	3444	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe
"C:\Users\Admin\AppData\Local\Temp\f8a9f83713405e179d30d6b04133e225741c85381151b9c2455e24d19beb749f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ixwx\8ry0s.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe
"C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && move C:\tdEMCEtdEMCE\tdEMCE.vbs "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdEMCE.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3596

C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe
"C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=p3suy.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
6⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf60a46f8,0x7ffdf60a4708,0x7ffdf60a4718
7⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
7⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
7⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
7⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
7⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
7⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
7⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
7⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6052 /prefetch:8
7⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
7⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
7⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
7⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
7⤵
- Drops file in Program Files directory
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6101b5460,0x7ff6101b5470,0x7ff6101b5480
8⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3740 /prefetch:2
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,13109417356294708316,775783032793618308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:8
7⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=p3suy.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
6⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf60a46f8,0x7ffdf60a4708,0x7ffdf60a4718
7⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15396792247596060601,1119565435201053439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
7⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15396792247596060601,1119565435201053439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
7⤵
PID:1944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9cc113cab81df2ff66421c3dd6bf4d31

SHA1
c1e1b1e2f007732c8c79eedac889b7312b08990e

SHA256
48438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea

SHA512
e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
90dc5449f9807a889ec3a578a0180796

SHA1
8e95bd738df0375245e009dfa359b7bc18320a35

SHA256
b3d9897d22975008c8a5eaa79ed2f91046365ff67dfbff4fb50494714363b8be

SHA512
922b01d1904d7a153436da1e4ae5faf0a97b496122b4608b8817490b81973b4f0de2ac64c055ec950dd081fb110075546787a28bf280d11023fb7de81d41c7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7fab6fd67307a303abba2d801b140e95

SHA1
8802983c1b3b19968002734668eac124e147d292

SHA256
422ee918c31afe677b18000c2612a5406dd978f6f0b824505750b76b5b33279b

SHA512
daefcc809606f7ff9a8ea3b833839ee608f1323b8f332d6330f2dc87916b9f292a44e01f110aa1be04e2df6ad002462ce3dc48ca47be4baa6012bb31bb7db762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
29e46152a8177198377ccd6ef84c4f19

SHA1
990db12ae0b37014dd8abe539b6bf2c654c39b5f

SHA256
0f9be49edaf36c08e693bd2e4bf0c893de96589eb961dad93f28b5b5210559df

SHA512
75253de4332a5014c2e67aa6ae0e80511a0723374a793ad6a467e2a6b9137ab67ab85091dfa15ffc5d1eb4df73ae30cf45de00a521e9186a345fbc0235bed67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7fab6fd67307a303abba2d801b140e95

SHA1
8802983c1b3b19968002734668eac124e147d292

SHA256
422ee918c31afe677b18000c2612a5406dd978f6f0b824505750b76b5b33279b

SHA512
daefcc809606f7ff9a8ea3b833839ee608f1323b8f332d6330f2dc87916b9f292a44e01f110aa1be04e2df6ad002462ce3dc48ca47be4baa6012bb31bb7db762

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ixwx\8ry0s.vbs
Filesize
100B

MD5
fab804804f7f0ee8008795292b55673a

SHA1
7213d8934e66c07afb233abb01d3f99de5a866a8

SHA256
9314f99fbfc97acdbee1ffa8e5e76f9c8a682f074affb0279e3d394762f08888

SHA512
95bf8c806dab70b8ddd7f92a9d76d099fa333e2f7c461f9c3a8cf0ada3e384b734115f96d5642a0100155478f0170a390dce408abe5b7b5d8f8be3b921527842

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe
Filesize
89KB

MD5
88bed359ac934343068b3ebae772d28b

SHA1
e7f28a4e2c2650dc14e670ddf71a9fc6738c7a9e

SHA256
c4aa98dbeb6afcf1a41eef2da74d1a89ba8d5bfb4c54bec36b7c8e2dbfdbfa78

SHA512
b299ce888e8121d689877cb419a5b31cbb3073a1808b53c2b60ed628b691be9bc5af2e6c5858a4a18374d785c57cffb2ee13cc9a295e298176810375dea07af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ixwx\p3suy.exe
Filesize
89KB

MD5
88bed359ac934343068b3ebae772d28b

SHA1
e7f28a4e2c2650dc14e670ddf71a9fc6738c7a9e

SHA256
c4aa98dbeb6afcf1a41eef2da74d1a89ba8d5bfb4c54bec36b7c8e2dbfdbfa78

SHA512
b299ce888e8121d689877cb419a5b31cbb3073a1808b53c2b60ed628b691be9bc5af2e6c5858a4a18374d785c57cffb2ee13cc9a295e298176810375dea07af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ixwx\x
Filesize
463KB

MD5
a9303dd438c71b6842e7482f6c0841c6

SHA1
f9284ecfecce37c41c71a39d8793b4b86e2e0ed7

SHA256
7a6761925987d87495cf05ba4418384f47f9b008be8ae482f982f8a7bbad4e31

SHA512
a65cbb2131d8347eda3293a87a3163548d555ae797a70cbe1ec601351604ffbdeb4e9ecab199a84fd0821063e3e34d1e165cffb3bd187372607135ad23c1b82d

Download Submit
C:\tdEMCEtdEMCE\tdEMCE.vbs
Filesize
207B

MD5
5cfe2691be4c514bd2bf079484b31584

SHA1
fcbe88bb9f5cbb40386beb93999940f0223b7177

SHA256
909e76547a44b47c5d562f3cc9e1d086530499911472137f1b7059f6870084f6

SHA512
b6d8855fd951561550d40fd36ff903d9ad5b37ae4adc85cdb4332bbf227a091460064b21af238b8f2a1e48a90af71a37efa50c234d016e5b83c0fc17f9717609

Download Submit
\??\pipe\LOCAL\crashpad_3444_FDTXPPWWRGGJDZCW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4996_BSQNRCVEOISUWGZQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-188-0x0000000000000000-mapping.dmp

Download
memory/452-189-0x0000000000000000-mapping.dmp

Download
memory/548-145-0x0000000000000000-mapping.dmp

Download
memory/812-186-0x0000000000000000-mapping.dmp

Download
memory/856-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-138-0x0000000000000000-mapping.dmp

Download
memory/1284-135-0x0000000000000000-mapping.dmp

Download
memory/1424-176-0x0000000000000000-mapping.dmp

Download
memory/1944-170-0x0000000000000000-mapping.dmp

Download
memory/2244-184-0x0000000000000000-mapping.dmp

Download
memory/2388-148-0x0000000000000000-mapping.dmp

Download
memory/2388-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-190-0x0000000000000000-mapping.dmp

Download
memory/3132-160-0x0000000000000000-mapping.dmp

Download
memory/3136-158-0x0000000000000000-mapping.dmp

Download
memory/3224-169-0x0000000000000000-mapping.dmp

Download
memory/3260-152-0x0000000000000000-mapping.dmp

Download
memory/3344-155-0x0000000000000000-mapping.dmp

Download
memory/3444-151-0x0000000000000000-mapping.dmp

Download
memory/3596-146-0x0000000000000000-mapping.dmp

Download
memory/3684-154-0x0000000000000000-mapping.dmp

Download
memory/4488-193-0x0000000000000000-mapping.dmp

Download
memory/4540-180-0x0000000000000000-mapping.dmp

Download
memory/4600-164-0x0000000000000000-mapping.dmp

Download
memory/4772-162-0x0000000000000000-mapping.dmp

Download
memory/4964-173-0x0000000000000000-mapping.dmp

Download
memory/4972-132-0x0000000000000000-mapping.dmp

Download
memory/4972-191-0x0000000000000000-mapping.dmp

Download
memory/4996-163-0x0000000000000000-mapping.dmp

Download
memory/5108-178-0x0000000000000000-mapping.dmp

Download