6fc287b2dc57fce3b1d7a95c8fdb6605e74d10e6644a800d67531965e2bdb7d8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

login.html
Size

27KB
MD5

d7e398e2ff1a47b8889d7dc6c0818d22
SHA1

da98ab4b635e764fa13961987f840014eb546197
SHA256

6fc287b2dc57fce3b1d7a95c8fdb6605e74d10e6644a800d67531965e2bdb7d8
SHA512

f164b3a00de85e58f43390d52a71f7ed05d68b1c5647a2f42c33ad6e0fa4ed5d560e09f7668a268246ad6ab79c7bf6c58114aa9b92fecfd965c9d31eb18090f3
SSDEEP

384:mZ0e3ujIp/n7M0IQqC9RZfxSAZn0fZ91mP6GQmD3syZj5XCqzGX3o:C0GugIqjfxSAZnmZmDQysyZ9n

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230111193541.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\41b6450d-593b-4863-b96e-508ee43bd580.tmp	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e705317208724f818ff84de6ddc69d0000000002000000000010660000000100002000000052f751803926a0b165d105c470177e5806288ee8c7c15dfdba560ec2775e61a4000000000e800000000200002000000043c66ce1e9a5503ad9debc81b6e582f9a275b957cb6f480398e40c1f9b28f12820000000b5e676931476b202db1c6f8c668888e57f791e33682d9f8518a7bb8d9288101940000000c6b702817a31218d234e3d68d9f6bc8c1de67e761671e680228dd8c90dbf4d74f65c31b7ad5e87deeb78bfe6519b45b773bf6f2c694b0cd26d548300579f1750	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e705317208724f818ff84de6ddc69d00000000020000000000106600000001000020000000921fed59bbbad37c382e9ddd78acc47e3b9cb256359adfb6985f0975881b5ba2000000000e800000000200002000000040ebcd4b771f23462e08042a56cf9cca70300ee1456aec902cf2e145248401992000000096a8fe30e31ec4b905e6d4cd098c88edf2771b15d85162864597aa11f899a082400000004e720de8ad6e817a703df0c44b2eedd752bf82d38be4753c77ef06c78d864df8563e7dd276a08a7fdb23a054ec30e0767b7c26a1513851de5835a83179de0767	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380230636"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3332790277"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008243"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d0bac7f325d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3332790277"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3339978870"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fcc1c7f325d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008243"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31008243"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F2092C23-91E6-11ED-B5DD-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
4104	msedge.exe
4104	msedge.exe
4636	identity_helper.exe
4636	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4272	iexplore.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4272	iexplore.exe
4272	iexplore.exe
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1124	4272	iexplore.exe	79
PID 4272 wrote to memory of 1124	4272	iexplore.exe	79
PID 4272 wrote to memory of 1124	4272	iexplore.exe	79
PID 4104 wrote to memory of 1432	4104	msedge.exe	92
PID 4104 wrote to memory of 1432	4104	msedge.exe	92
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 4464	4104	msedge.exe	93
PID 4104 wrote to memory of 3788	4104	msedge.exe	94
PID 4104 wrote to memory of 3788	4104	msedge.exe	94
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95
PID 4104 wrote to memory of 3252	4104	msedge.exe	95

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\login.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4272 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaf25046f8,0x7ffaf2504708,0x7ffaf2504718
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:64
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6fe975460,0x7ff6fe975470,0x7ff6fe975480
    3⤵
    PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,14123758249644083355,16243841897387360535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4f8
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d573b2aa87eba6871bbfacafe3025db5

SHA1
6250740ebe65f64db1f0f8a773be17525f27b9d8

SHA256
21761b2fe7450acdcd63254f296c9ac41b2d931c79af613e8ce2400e8b675d19

SHA512
e2b8de3dffd78c6d2d376e444e1c1d83a49bbba5c13b268155a388cab2599ecc93974c5e05878affa207d015cc7980b1dde3d131517eb904f2c4e5a9fb6778f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
7d2df1da9f7f5a57eb49e4aba4c87f19

SHA1
845461c1c0040e9dd244832f6d26ed8e32c0427e

SHA256
acf81a925312c5f925c415f10f83c5a08aceae7aa7e37f8ce0cc4ccfc4c3a6da

SHA512
2a9bff8f6444939897cb231d9174b7718145ea39c8b82d5eaeec96c4e7ef8ae6943a79aefe44bc5fafb21d9e02970f4f47e31bcdaaff4d180c90df245690c33f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
03c43ce055f8989a6508481c8acb6608

SHA1
3dc33276158435396c4272531a62707a18a4a875

SHA256
1e977bad400e43c86966889b895bbf3b00b929b4bf497c791ad0ed2a0749fd3e

SHA512
fb69a674b2c2aa697a7c1fc94490298949831762d9d9612266314727ea85f84035df089f62e1aec24474caa1fc52fc94ea704d161335d37c1cf746c72af1f8ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
63b740f18b49b4e5eb2db78116b065b3

SHA1
567663689a89503549d82f54c73b144fe41e559e

SHA256
c6ca917d56c9058ed3ec87d68d3f48bd83ef23cabea01ad1b3ac19580c2cf062

SHA512
e19f70e778ce31c775da73711518dd922469e6e32929626aa79bbb489bf7dcff725ffdbaff76466483b8407af8d4bc97c6ab4723055f093390ba6367f2250532

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
446B

MD5
b8e830d68ab19fdb598b62a57ace543b

SHA1
baf048f550353cbffb70efb2c48671026118a564

SHA256
f9d0feead655c0243ef3f1f3053aed8d160ca03bcb3214cae34f1114746a2159

SHA512
ae28b4fc64f39ea6e201f59bd2f1255f28f1871dc390a242b812ee6872873b0ddbbc494f62faaef55a3f9134e7e26a6ea2f59c20045f960817f06e319114526f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
ca99292c0e2f05f0b6a0c445a0889c13

SHA1
849fe2081008531b21961ac03b5d6c2cbec6bd89

SHA256
654f955ea27cecf7699eb369f3f0265900e907df8b6cb91db441135199262dab

SHA512
05c617aa41061c4f5733278ccf295469cbef5724cdc007856b1ad6083fb73e5492e619324aa02fb044917c4631de75b5e54a2b7a9a729c4ec8c9b3c989e369cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
467bfcf83809c9e4ee914d9455b13eca

SHA1
361c046088fba455d725ff7cdd7552e12e65d107

SHA256
d2156ffc7d9c8f6d42bbafbfe8ced77f96336fd21133da9da2b1a2ce6af85fc4

SHA512
926baa03c092f7231c1af9c11f2ced8a673dd4ad2067334d3e7f25ae0e8f44aaeb02bd4450c000d8872cf2dac044004aa2e427e281334508db93591e1bfa261d

Download Submit