a7f088a1cd622d248cd2904ba001c8d5eb9ee90db7fe6d043414bd513a6b0275

Analysis

max time kernel
172s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Size

2.5MB
MD5

f3b0179ba1f2f60ea88c4f14c4e7a829
SHA1

cada0b63415bfdafac480da21742d673a6f1d359
SHA256

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
SHA512

fd4f6e6eec6e565435c7fd7d6e5f79d7f59cca0e9ef068f370c65b270d5d4fa034b0990ecb8fb4427ee58ff5048b88130c2b80002e7d63a15c0b4aec2d342303
SSDEEP

49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3960	EU6Wr47.exe
4516	fo7Qf38.exe
1184	2OC4417.exe
1556	5yN0yH9.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EU6Wr47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fo7Qf38.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000400000001e7ef-19.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1556	5yN0yH9.exe
1556	5yN0yH9.exe
1556	5yN0yH9.exe
1556	5yN0yH9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2604	msedge.exe
2604	msedge.exe
764	msedge.exe
764	msedge.exe
320	msedge.exe
320	msedge.exe
5520	identity_helper.exe
5520	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
1184	2OC4417.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	5yN0yH9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3960	4724	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	95
PID 4724 wrote to memory of 3960	4724	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	95
PID 4724 wrote to memory of 3960	4724	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	95
PID 3960 wrote to memory of 4516	3960	EU6Wr47.exe	96
PID 3960 wrote to memory of 4516	3960	EU6Wr47.exe	96
PID 3960 wrote to memory of 4516	3960	EU6Wr47.exe	96
PID 4516 wrote to memory of 1184	4516	fo7Qf38.exe	97
PID 4516 wrote to memory of 1184	4516	fo7Qf38.exe	97
PID 4516 wrote to memory of 1184	4516	fo7Qf38.exe	97
PID 1184 wrote to memory of 5112	1184	2OC4417.exe	106
PID 1184 wrote to memory of 5112	1184	2OC4417.exe	106
PID 1184 wrote to memory of 3704	1184	2OC4417.exe	108
PID 1184 wrote to memory of 3704	1184	2OC4417.exe	108
PID 5112 wrote to memory of 2996	5112	msedge.exe	109
PID 5112 wrote to memory of 2996	5112	msedge.exe	109
PID 3704 wrote to memory of 5092	3704	msedge.exe	110
PID 3704 wrote to memory of 5092	3704	msedge.exe	110
PID 1184 wrote to memory of 320	1184	2OC4417.exe	111
PID 1184 wrote to memory of 320	1184	2OC4417.exe	111
PID 320 wrote to memory of 2088	320	msedge.exe	112
PID 320 wrote to memory of 2088	320	msedge.exe	112
PID 4516 wrote to memory of 1556	4516	fo7Qf38.exe	113
PID 4516 wrote to memory of 1556	4516	fo7Qf38.exe	113
PID 4516 wrote to memory of 1556	4516	fo7Qf38.exe	113
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115
PID 320 wrote to memory of 384	320	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
"C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe0ca846f8,0x7ffe0ca84708,0x7ffe0ca84718
        6⤵
        
        PID:2996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3673086208102146668,17674862804924414603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3673086208102146668,17674862804924414603,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:3604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe0ca846f8,0x7ffe0ca84708,0x7ffe0ca84718
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1884370393866048345,6908822324547114898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1884370393866048345,6908822324547114898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        6⤵
        
        PID:640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe0ca846f8,0x7ffe0ca84708,0x7ffe0ca84718
        6⤵
        
        PID:2088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        6⤵
        
        PID:384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
        6⤵
        
        PID:3584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        6⤵
        
        PID:1788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        6⤵
        
        PID:444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
        6⤵
        
        PID:3288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
        6⤵
        
        PID:4680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        6⤵
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
        6⤵
        
        PID:5352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
        6⤵
        
        PID:5372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
        6⤵
        
        PID:5364
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
        6⤵
        
        PID:5448
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,12978811906784358875,12914333797006421201,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 /prefetch:8
        6⤵
        
        PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b810b01c5f47e2b44bbdd46d6b9571de

SHA1
8e3d866cf56193ca92a9b74d1c0e4520b5a74fdc

SHA256
d1100cf9e4db12cc60cce6e0e2e3d9697e762c219f6068eb55a1390777bf4b45

SHA512
6bbf900b2f7614dd17aa6d5febe3ad1100851e2309ba2cd5219c5aa5af7bf830eec2cc88071d37987aa7e3f527b8df5b2d85e8b21b18fcb071baaab1a2eadae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8664d50552a4370c3b45060a8db87433

SHA1
3947720bca8b6cd815f03ff6fd0c4a2b3525601a

SHA256
117b6fb2526adf9e3109d0518a5061c9457a91b480c3f94402eebf561ec102a3

SHA512
32262723cb4775207a01a64b0d08181d9b96a69916b69a3e30ba4955e25223fc10d5326bea59d7ecd146a02788bf8086b12925c52557827b7e463f219195a615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25d20916b43a6d5f93c771aeb02e9080

SHA1
3ba5505deb372406098f2c6c2f1dd21d129aa70d

SHA256
89cb050a6470ffc7f617cc97d0bced84c73e538d64e21a76846290fb3c2e7c62

SHA512
d965cd310368547abd90ceddd16e65586e221214420ebdd9b3f05981b829a087d13839eebc2ea617cd7b71b656ca8f6af390f35bb511f3d4e71a4db23a92f982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f96233287f70d64bded6f36933ec8186

SHA1
68af21fb5b4bb2679d714d273634bfbb770c22fc

SHA256
22df1783e0a2116cfccc2d32bb4312114245c6c74d8ceb28f0e9022cf9775a3d

SHA512
106c860015600ccadc0a400b7f476eb82f21eb430b3d9189ced5220799026a2554e301a20ad7cb624e13e4b50f07cb7b58e8332c15a71746b307aaadc08d6141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
629bc06f4934312b2f472e569ebb57e9

SHA1
94709c5ec4d6685f340e9b9f40f9fdeee955ada7

SHA256
2b57c4441e979910b63dd466b067de6b88f8da19d42c04c9a9b3d3272dee5aeb

SHA512
19509f4c64e763d5d02f22aa8e566354a128fa29869823e32a8553500c450b393a4c6aba241f3e9248fea3428630a07b827ff1dc92e66f810a492c0868479a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
3effb36b89c68932860b41cbe8ab6eb8

SHA1
e6371daff349f78aba6dd224ea8d2a527b91a337

SHA256
97aa09d9c24d3188ff4726725dfe645d61c401a7b493fe7e67d41ebbbd28ea08

SHA512
f17ad5391e7f698c274869146dcd9d311de12d8279b54be4ea000473aac2f86ceab11a169bf5133d28888b5487246902d9d5adf6d05798a5470768ab2fa2c57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
dcd310476bd9c2d8159e8fa12afb1272

SHA1
8f020445615ecb34ce1d161b486f46c5b300e9e9

SHA256
0f41eacf50b46244fbca6f8043b9967f68ed3873ef38b7a03ae42b4db2b334fe

SHA512
21ff60e04e18ea1c99da5f7efd4705f72989e38e3d2539ed49c6a0a6249e24318ee5b8b0b64cd68404fe8300f96504b62d1117f87266b5ce713f90ff4d37e116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
ef4fd3b66e4a4e4b18fc6120990e7a0b

SHA1
60f1862a3e1f9cee4e9c0a0cabe690b2d7a3fb75

SHA256
ea2d93d9e678bb4445e3db984d395111f052282c453f2ad5d82d27af9bd05b60

SHA512
786883245824d8146a95f2e004b1ca3089a601fa3ea29ada55f43b2fce556dd63fba8fb82c2bc8555d039d3f867d11dc9f7ba03a965f6b078d56aa235dd6ac34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9419d00c75bcbfacc3c25f9d24b8d638

SHA1
f81b5b99ff422ded49b869bca31db6408327cc87

SHA256
f9c904313c2b76c9c12d5675f4daf20e3c193c4511d37b3dc904f8600000f4bf

SHA512
79c0c635f8df74da14b40e3475ebfb9bbf49271e96ece19c344aa8930bd34ae67b6d4f6c46ac516f6250c47dbb59d914e4c24f39f24428ff6e4b65646d3d5942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8e37643182c1c35249b18f9181c599d

SHA1
b44fd588a55d925a09bab381487021bc4b1028fa

SHA256
ec2a75cd96d861bae53a2fdc2f813bc81ce985e8e336c6405eaef0fcff8cdf23

SHA512
1212683184661a57353218c1fd287aaf34c90f4f0cb4e60002035469263aa1790edfc109233c319e2713754d9c447014c9c4553cb23dcc5d812bcc029e00cc39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b8b69c04fd93ed48ed4eb711537391a2

SHA1
1856e591b1174cfd92d0af253b55b60c8d8a2d36

SHA256
afc3c767b6538ed0aafb38e48d1f366b58069b923595f6558906e7517e5256c8

SHA512
677ee54bcc9b6c9e2cec10c508f4ce14be4943e5286c9fb62649dbef83e1255844b1512d7e76b681021642d56c3e0ff21539b63f451c0edf7ba51785281fd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe

Filesize
2.4MB

MD5
9c48487da185e861ba60949a63ecaaab

SHA1
977c0af43b46c7b855e75d195e19a52702cecaf2

SHA256
59d884695032fa9d11282c7f1cff87f0f974434c51016398b141737f54263cf3

SHA512
6b37a301d962742198b7cf0e24d117dc1812029617f06613ef175c8ad7d6ec2735144efd7b355bd5b4422f3ad3dbe3f91f3cb46e55dcf3a056f5636ae6ca4cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe

Filesize
1.9MB

MD5
60764862bbf223a46037cbebbafb0d0c

SHA1
7ec036c3651fccd8a246a30118f9e1dc62ef7710

SHA256
319d23401d5285e6abab1136687f6987df912e0e656e1775a61179eff9668064

SHA512
5f32cecc0eb02aa616fceee95ec074c536d57b7beee18f30a9356c9e9b5244ff8255cdcfde6cd689bedea411f2aeb7925a34c615b04caab43ebf3060069d1af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe

Filesize
1.5MB

MD5
302fee1f9c5aa09eccc5a6ad51f5007e

SHA1
bc60c16b80d0b8498161a61a9e56d4101a8d0b8a

SHA256
3e67c6c32acb0dee0014f749ecfe30f5862676c7db978cc442c8eb3c4237c7b0

SHA512
163559815db8f14f86076e6d3b6af277bfd7f13af83ebe961d9275a037bbd8579c2955a653311d937be50963f8528f2703384d350248d35c65877ddc33fa9637

Download Submit
memory/1556-46-0x0000000000AA0000-0x0000000000EFE000-memory.dmp

Filesize
4.4MB

Download
memory/1556-240-0x0000000000AA0000-0x0000000000EFE000-memory.dmp

Filesize
4.4MB

Download
memory/1556-214-0x0000000000AA0000-0x0000000000EFE000-memory.dmp

Filesize
4.4MB

Download
memory/1556-178-0x0000000000AA0000-0x0000000000EFE000-memory.dmp

Filesize
4.4MB

Download
memory/1556-132-0x0000000000AA0000-0x0000000000EFE000-memory.dmp

Filesize
4.4MB

Download