30f7de0333c664ae983317b7610f02735d2d935f78e39d90657450ab4af2c872

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OOOSPOOKY.txt
Size

61B
MD5

f403cac570c216fda38cbda48c0ca1d1
SHA1

2a2f1722c018d5491495c9b932bcb1703cf9fd3e
SHA256

30f7de0333c664ae983317b7610f02735d2d935f78e39d90657450ab4af2c872
SHA512

d2d65672d7337b22f403af0d31070e59959f76ee7459c4c7d0e4bdbe24b8d3a35db5a1de30ad55ee759a3a69bc3b06e3e85b3bec4424a00aa56703eeed3d7d0e

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
296	api.ipify.org
297	api.ipify.org

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{82A116BE-8A09-4063-A5F9-591BB3E358D6}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2772	WMIC.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1392	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
1632	msedge.exe
1632	msedge.exe
5800	identity_helper.exe
5800	identity_helper.exe
6012	msedge.exe
6012	msedge.exe
4404	lmao.exe
4404	lmao.exe
4404	lmao.exe
4404	lmao.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	lmao.exe
Token: SeIncreaseQuotaPrivilege	3476	WMIC.exe
Token: SeSecurityPrivilege	3476	WMIC.exe
Token: SeTakeOwnershipPrivilege	3476	WMIC.exe
Token: SeLoadDriverPrivilege	3476	WMIC.exe
Token: SeSystemProfilePrivilege	3476	WMIC.exe
Token: SeSystemtimePrivilege	3476	WMIC.exe
Token: SeProfSingleProcessPrivilege	3476	WMIC.exe
Token: SeIncBasePriorityPrivilege	3476	WMIC.exe
Token: SeCreatePagefilePrivilege	3476	WMIC.exe
Token: SeBackupPrivilege	3476	WMIC.exe
Token: SeRestorePrivilege	3476	WMIC.exe
Token: SeShutdownPrivilege	3476	WMIC.exe
Token: SeDebugPrivilege	3476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3476	WMIC.exe
Token: SeRemoteShutdownPrivilege	3476	WMIC.exe
Token: SeUndockPrivilege	3476	WMIC.exe
Token: SeManageVolumePrivilege	3476	WMIC.exe
Token: 33	3476	WMIC.exe
Token: 34	3476	WMIC.exe
Token: 35	3476	WMIC.exe
Token: 36	3476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3476	WMIC.exe
Token: SeSecurityPrivilege	3476	WMIC.exe
Token: SeTakeOwnershipPrivilege	3476	WMIC.exe
Token: SeLoadDriverPrivilege	3476	WMIC.exe
Token: SeSystemProfilePrivilege	3476	WMIC.exe
Token: SeSystemtimePrivilege	3476	WMIC.exe
Token: SeProfSingleProcessPrivilege	3476	WMIC.exe
Token: SeIncBasePriorityPrivilege	3476	WMIC.exe
Token: SeCreatePagefilePrivilege	3476	WMIC.exe
Token: SeBackupPrivilege	3476	WMIC.exe
Token: SeRestorePrivilege	3476	WMIC.exe
Token: SeShutdownPrivilege	3476	WMIC.exe
Token: SeDebugPrivilege	3476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3476	WMIC.exe
Token: SeRemoteShutdownPrivilege	3476	WMIC.exe
Token: SeUndockPrivilege	3476	WMIC.exe
Token: SeManageVolumePrivilege	3476	WMIC.exe
Token: 33	3476	WMIC.exe
Token: 34	3476	WMIC.exe
Token: 35	3476	WMIC.exe
Token: 36	3476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3060	wmic.exe
Token: SeSecurityPrivilege	3060	wmic.exe
Token: SeTakeOwnershipPrivilege	3060	wmic.exe
Token: SeLoadDriverPrivilege	3060	wmic.exe
Token: SeSystemProfilePrivilege	3060	wmic.exe
Token: SeSystemtimePrivilege	3060	wmic.exe
Token: SeProfSingleProcessPrivilege	3060	wmic.exe
Token: SeIncBasePriorityPrivilege	3060	wmic.exe
Token: SeCreatePagefilePrivilege	3060	wmic.exe
Token: SeBackupPrivilege	3060	wmic.exe
Token: SeRestorePrivilege	3060	wmic.exe
Token: SeShutdownPrivilege	3060	wmic.exe
Token: SeDebugPrivilege	3060	wmic.exe
Token: SeSystemEnvironmentPrivilege	3060	wmic.exe
Token: SeRemoteShutdownPrivilege	3060	wmic.exe
Token: SeUndockPrivilege	3060	wmic.exe
Token: SeManageVolumePrivilege	3060	wmic.exe
Token: 33	3060	wmic.exe
Token: 34	3060	wmic.exe
Token: 35	3060	wmic.exe
Token: 36	3060	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 4492	1632	msedge.exe	88
PID 1632 wrote to memory of 4492	1632	msedge.exe	88
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 736	1632	msedge.exe	91
PID 1632 wrote to memory of 4284	1632	msedge.exe	89
PID 1632 wrote to memory of 4284	1632	msedge.exe	89
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90
PID 1632 wrote to memory of 1912	1632	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\OOOSPOOKY.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd66ed46f8,0x7ffd66ed4708,0x7ffd66ed4718
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,1334838834374325525,10111103510640164319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2052

C:\Users\Admin\Downloads\build\build\exe.win-amd64-3.11\lmao.exe
"C:\Users\Admin\Downloads\build\build\exe.win-amd64-3.11\lmao.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
  2⤵
  PID:5408
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic os get Caption"
  2⤵
  PID:6008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
  2⤵
  PID:4512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
  2⤵
  PID:4680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
  2⤵
  PID:2188
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
    3⤵
    PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
0ba591ce702c01a1b38290720ca1fea9

SHA1
850484975fbdcf93bfacb99fb3073526917962f6

SHA256
ea9573f9f889b6eb2bd5a725cf1e2a8879b8e17684dc37ead43db8bd6db661a3

SHA512
71f4dc746a8fd09771f5d95b9f91c180fd8b4d7694c8f85a37936f66bae21413c48bff139e3ef7b90e3088dae3aa0bbba1983d043b904d9bec2216d7eb69eaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
132KB

MD5
747c62b841ce768b5edb983abbd05e4d

SHA1
3e41c2c86b30ead1c53af8bc4d05aad343015fd2

SHA256
ec06a160bc3cf941e8111ca9840214e280eb14c55556af467bf47443db9cbb91

SHA512
03ab029ddb8f492668ecbcae512371a02b7c483e2476128d6edb0753f68d5ce46aee8c8ebde962236d3b66658e65188440142fdf95f90aac9713de7a2921a04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
f565f18bf860d95c567fe7566ab6627e

SHA1
1fd41f591f6934c18d31a7b939ac2c5fc4626cd0

SHA256
54151143d06a353affc9921de574f1e34a30b8098f54a5c22247767a78db4480

SHA512
5b6362be9fc78634a56e85137dd8423c54900177a91aed2a85a6d5cf254e884ac3ed0ec6233927f986d6986bd1c56dbd698d73f557d864539c0c067f7778331d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
4e2d766c957bd59456749495c066a602

SHA1
5e35d9527308c9a0d1cd1a6c3deab0f9fd96b4cc

SHA256
627631bbdb63f6dfca8cd9723341c27843d86eb88ea7e6b54c1f425982c636a2

SHA512
2d56f9693c143806a46111dfe44a889800590fec833102147fcaa6d9154a647281dd8a1accdf3bf956f2ae3649f3c13387154a7bb08140a99b71cb59b28039c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
36b2685018b1827188ac652067e1f6f1

SHA1
895861a30899048c7f92bb72318ae6fa22e1b79d

SHA256
eadfa6b222cda94b4307cb63cf9b06ff188c1b964b718d12b489ac7addc39ad9

SHA512
2db94cc4470163ec5ae84613ba72b33a73e1a8b71c8fc975139ed024e8c7503313950852bfa5c389a1582cbb2f00ed1c24aca359721d519b8912a3fc510dc7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5231e2b54a28f85750461358eb8aec3

SHA1
375c1b3ed77e23f1396bc66acf6cf7aae031d95e

SHA256
de354658c12ae8029929a4a3980f2b484a1ab15ae759ed7dcf8b62e071584860

SHA512
0f25ec8ddd150b9cd1bd177d2f59437631e99d0a0556afd3cfad957fb652bb01bdcd49c8943f33c0510a94dd740cf3ef3b02cfa903015b81291af436dd1ac39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
8625906bf42d498643bba81b54ab680c

SHA1
ced05e8be2193a96083904b3871b2dd849736045

SHA256
885dde38d53cd6b4cf61f7d10aa2f0ecab98b1a43e199ae7bbde10b696905767

SHA512
d840af2b777875ea153eeb6103358ce066d5614c0603110902aa624c5f97321c63723c45d2a1c3cd98cb3f7a89b3e83b2dee37b858098ee9515edf5f2b325148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f4c7aa3c812787dee8c0f8f37e0c614

SHA1
a16f7e79ef0951ba47eca0ae120b1543d80996ce

SHA256
3bce61fa562d568ba5dac26e65df0234b55a36307e3ed5ef03dd3f76c30d54d2

SHA512
da2ff37d6b569b664ed391ed1190faa0e42c8a7269254849fafa5e922d5c1e194979d5d52628e87df6f46c72c289b9251169173693448df49bbc517de9fffdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
e0177ae94502dd85758474a96e5d6233

SHA1
4d415779bf1ab6c9c90a1a629414e6015210e260

SHA256
442f75d558d10d78dcf85b57db65b39c4e1b4052bba8ff8dc067bfb8e7031e3e

SHA512
6318606c770ac553f36b1d0c972b5da809c4e9ea50931de4e05bb3ebb6f3a89fb3fb2f9b523f4bb08aaf2d87678b9c6ad4c03995822025babbc1475e365b9de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
22587cda242ca3febdb83f3b5f3dbb37

SHA1
eec09c9d422dbd9483545bbbf4a0d606733aa346

SHA256
a7f90ae000af56b8002a801da9b5fe7fb306b4aec64c7d71e1b8adbe3e26c382

SHA512
383614f8b11aa67c324b2b98e80969b3435377a7b62e47a48932aee68bf16e40876b4a1a36b43647451afe44bed28f5d62bce58810999be7e69c2763274ca3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\93Pgmf3M8a\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuDB5C.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit