cobaltstrike | e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e

Analysis

max time kernel
180s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe
Size

38KB
MD5

413d23c00c5ba3555027d7d2628c35c3
SHA1

962c05cddae5e28042278b894f6ecc1e61925832
SHA256

e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e
SHA512

4bf62a65c07c930bc71510b0ee404970e3e93dfee2331ab97bafae9635dc3230480b6546f68107705753d60b337103917d747992d4c6319696b72917f2e44ff7
SSDEEP

768:oFS/ebH9OhqvZ449GL1MdS4o8BWPKbKqBtQNCgHJ5:oFma9eaZHwmS4oqi8QV

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://image-sangfoross.b4a.run:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36ghtt Host: image-sangfoross.b4a.run

Extracted

Family

cobaltstrike

Botnet

100000000

http://image-sangfoross.b4a.run:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
image-sangfoross.b4a.run,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAgAAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQn81FQj9XqIVnVV1ELySgI0jQ15USCc1972WS5a5b9Xvc5eDHXdPRU2BS8yJSsLv+e3ofG4FVZuA6lPb3Xh+HgQD4c2WcdDwG7fOu6dKdA+Vg2JwPJDp1GWtwxxbSZBfOI8J0OcfTbR59EHSUKK0iHNiu7WlmWgQkDczs0xmjPQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.472211456e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAgAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36ghtt
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

32 3248 rundll32.exe
41 3248 rundll32.exe
102 3248 rundll32.exe
112 3248 rundll32.exe
126 3248 rundll32.exe
127 3248 rundll32.exe

flow	pid	process
32	3248	rundll32.exe
41	3248	rundll32.exe
102	3248	rundll32.exe
112	3248	rundll32.exe
126	3248	rundll32.exe
127	3248	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe

description	pid	process	target process
PID 4844 set thread context of 3248	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exerundll32.exemsedge.exe

pid	process
4204	msedge.exe
4204	msedge.exe
1032	msedge.exe
1032	msedge.exe
768	identity_helper.exe
768	identity_helper.exe
3248	rundll32.exe
3248	rundll32.exe
828	msedge.exe
828	msedge.exe
828	msedge.exe
828	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1032 msedge.exe
1032 msedge.exe
1032 msedge.exe
1032 msedge.exe
1032 msedge.exe
1032 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exemsedge.exe

description	pid	process	target process
PID 4844 wrote to memory of 1032	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	msedge.exe
PID 4844 wrote to memory of 1032	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	msedge.exe
PID 4844 wrote to memory of 3248	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	rundll32.exe
PID 4844 wrote to memory of 3248	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	rundll32.exe
PID 4844 wrote to memory of 3248	4844	e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe	rundll32.exe
PID 1032 wrote to memory of 1732	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 1732	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4524	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4204	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4204	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe
PID 1032 wrote to memory of 4680	1032	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe
"C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/chrome/update/
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9c046f8,0x7ffeb9c04708,0x7ffeb9c04718
3⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
3⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
3⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
3⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
3⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
3⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
3⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
3⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
3⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:828

\??\c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
fc8fb1ec865536b0a6a058190ba154e8

SHA1
9bbae8753746bb1790c4b3a785af7a663b80fc76

SHA256
60b6a843156b69b66924de4cb1cfbaadabee41d9ed75b78003effc541adbd126

SHA512
a8981cad74da97ab5eebde3e4cc9b1e7d17ed91b91743a4238da4591e43b1518c0614e00d02719881c5c72b976f109deb13c01ba0e7e7bdcf96772cafb2f8e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
3b83c7b79ff2e694ec64656fe288463a

SHA1
a295f28c7bf18f85d88e27a255241b7af3251fb7

SHA256
f3f37620d4e99ac0f0f7533762794afa9f3f24a4e2a18ef9230c874298c6badf

SHA512
11b11241354c9460654ea945515bf960e7cb812bcc7d11b8a34c301437345fea6aba3e1c200dc165437511af9d5b5a1472f02391e9465a06de39926d6e40214f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
9374d86f56c02326d7c0833695b8db88

SHA1
637de8d4315492592e192acc3ae4780fe832cebd

SHA256
d9e78d57594c22af76f1e8043eacc1f1629ec72d4200e40b4e71294b5b6bf6a2

SHA512
ccce6caabde369e281a0e2103c5615d388de451373456e627cfe7ee325c19d1000302c9755f339de104492c15a3d9da734a8c04a5c3fe4c22fd760fd4ae60280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cef2da8a21a19643d9689947b35d3457

SHA1
0d7b08af5d5ffab1db76a1b2b809288855ce6826

SHA256
6ed1d9ee72a5c4a04d8196760ff8c4c9dc7cf661ff32fceecf72649444e7a79c

SHA512
297f7f3a20f4f938c2fd3e5d1b710e7312ade8710cf2d2b83b87c108e077ab65b8aadfd8aa50733a8c2a58d4051d9ad787f2e4fa6a28e5100a0757c690890c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a5ccc4a0a9e9ebb00d119f1ddea251e8

SHA1
3799a259730c8148b5639043043fdded60143860

SHA256
79d031b50ca6a2ac57e114151804ba88150a45308a19192613650ba352f3cd83

SHA512
b9bf7be04fef1a4cda219babf400477745cea489fdd64b2f0b475c750542ab9feff7de8c261a74f1fc20a5bd68b1b738f37dbb335f36992d2042d5b6ad67c371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9bf0253c823a80fe81aa50b2fdf742d3

SHA1
16b19b1f8bdb7afb0dfa74f73653de220010e616

SHA256
399e7ee2209fb8aa9dc735ae1bd1187ce592f9f7fbaefe7d4fab48c75a7e7986

SHA512
1b10dbee189bad94680ff2d17a894020bab7aa5cc6c8e38d6257430e924400b2db41db0e2c3216a5b20bf411c35c17dd7da47f45e6bdfcb312659bb5364e5a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
536B

MD5
b12c18ac92a1f957249d643ddf403f1b

SHA1
277928ecd2d4079249a5e6a777b1a8f5a71eb973

SHA256
1a6b2795731a6af8b604ad4ce4fa8ea441486ad90d9df647e66a504332351d0c

SHA512
6698d9f8232999524932f42005cc041d09876d33f7945fa5f3f329cc4ea3745e4223bcc295c9a053cf623dac2f1aeb10ce9b9a4c8d8d7aef464da86c7ad411b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
536B

MD5
0b0a71a22e5ca0489f2bfe36aa8f1bdc

SHA1
2fa9233d2e073b94c54daf1b8a99afdab6a36d68

SHA256
6e7cbc6641f147a944a8430456a1735131bc0ed4e2b49f529d538ed56b941129

SHA512
cad72501f08a3d6da3d3a7b7ed3bff5ea71333552c918aee9509c7df4a501cc20c14081116ea1187e84f58086cd540d484f3e780e8691a14860caf07f6b67d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c692.TMP
Filesize
371B

MD5
8b4fbc6702af420d3837fbe83bd953c0

SHA1
8ab6620f27b62c251ab6a647604ec9d600e2fb95

SHA256
13cd72ad226f6f64377016bd9735ffe67be5a12be812932ad0ffebd4179e55a1

SHA512
e6d00e31f15e9c234a77ea5bb9b2ccc661112400151949911d951533e7194afba59bb6cff6746bbefd532ed922691a220d88a677aaa59794d0d577923b31555b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
9484642a7a1e9b878babe9546d4b23aa

SHA1
188b29ca8e83b985b1719d836b9f76dbf95660db

SHA256
431e1d831d758a1440b88da13a60323e110a981151d22eb5a2c757b386ff33ca

SHA512
8de553245362c165b13552a57fb264624e3b64476fdeeaf55cf230c83539787633b248d3cf02b807fd5617b987584338fd21d7f34c71df74eddbc9c9efd589e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
11206491eb073bc03bece1aa332b0f94

SHA1
4b47e51314f61dbd1623addac28126a3b0ac479a

SHA256
b79aade02ef162e4376d132c561b91c02f6995f259cb0eea4e1a9ee4a3285dc4

SHA512
23992b243dec127c4dd4a88f73076eb8b61187f6f8545dce8b54cdbddd2e96e5bab47c6695f7f0dfc2a815374e95c3c11f1f5f188bd1f14d2a3b5663373fcb6b

Download Submit
\??\pipe\LOCAL\crashpad_1032_EHIWTFUYGSTVRMJZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3248-49-0x0000015160850000-0x0000015160C50000-memory.dmp

Filesize
4.0MB

Download
memory/3248-0-0x000001515E9B0000-0x000001515E9B1000-memory.dmp

Filesize
4KB

Download
memory/3248-18-0x0000015160C50000-0x00000151610C2000-memory.dmp

Filesize
4.4MB

Download
memory/3248-19-0x0000015160850000-0x0000015160C50000-memory.dmp

Filesize
4.0MB

Download