1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed

Analysis

max time kernel
180s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe
Size

6.2MB
MD5

7db309d6c5d298fab9e755bb613cd60b
SHA1

bd53f777213e40c6fca750db856a539b91f2779b
SHA256

1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed
SHA512

5b68f2751b95ff76797363a464537505fabdd1920f3f934781ef8c42ad96b487ff1c0076b453d3fbfeb78506b3da245bdc6f205dac105070e5afda1b9966fa98
SSDEEP

98304:GeyArfCP1wi5R3vgVz6h85sJUWrmpDCbWp/NK9N7dsNrZabsBVEEJs1QbAy:ACmrc6h8mKkOOWp/NKU3VEQbA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
872	UK9dW78.exe
4204	qH2nT71.exe
3244	LS5PO69.exe
2372	uO7hJ66.exe
1320	1zR76dM1.exe
4316	2nq9629.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UK9dW78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qH2nT71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LS5PO69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uO7hJ66.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000001e806-33.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4316	2nq9629.exe
4316	2nq9629.exe
4316	2nq9629.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2568	msedge.exe
2568	msedge.exe
1456	msedge.exe
1456	msedge.exe
3528	msedge.exe
3528	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe
1320	1zR76dM1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4316	2nq9629.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 872	540	1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe	95
PID 540 wrote to memory of 872	540	1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe	95
PID 540 wrote to memory of 872	540	1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe	95
PID 872 wrote to memory of 4204	872	UK9dW78.exe	96
PID 872 wrote to memory of 4204	872	UK9dW78.exe	96
PID 872 wrote to memory of 4204	872	UK9dW78.exe	96
PID 4204 wrote to memory of 3244	4204	qH2nT71.exe	97
PID 4204 wrote to memory of 3244	4204	qH2nT71.exe	97
PID 4204 wrote to memory of 3244	4204	qH2nT71.exe	97
PID 3244 wrote to memory of 2372	3244	LS5PO69.exe	98
PID 3244 wrote to memory of 2372	3244	LS5PO69.exe	98
PID 3244 wrote to memory of 2372	3244	LS5PO69.exe	98
PID 2372 wrote to memory of 1320	2372	uO7hJ66.exe	99
PID 2372 wrote to memory of 1320	2372	uO7hJ66.exe	99
PID 2372 wrote to memory of 1320	2372	uO7hJ66.exe	99
PID 1320 wrote to memory of 1012	1320	1zR76dM1.exe	107
PID 1320 wrote to memory of 1012	1320	1zR76dM1.exe	107
PID 1320 wrote to memory of 5072	1320	1zR76dM1.exe	112
PID 1320 wrote to memory of 5072	1320	1zR76dM1.exe	112
PID 1320 wrote to memory of 3384	1320	1zR76dM1.exe	114
PID 1320 wrote to memory of 3384	1320	1zR76dM1.exe	114
PID 5072 wrote to memory of 4304	5072	msedge.exe	117
PID 5072 wrote to memory of 4304	5072	msedge.exe	117
PID 3384 wrote to memory of 3128	3384	msedge.exe	116
PID 3384 wrote to memory of 3128	3384	msedge.exe	116
PID 2372 wrote to memory of 4316	2372	uO7hJ66.exe	118
PID 2372 wrote to memory of 4316	2372	uO7hJ66.exe	118
PID 2372 wrote to memory of 4316	2372	uO7hJ66.exe	118
PID 1012 wrote to memory of 3924	1012	msedge.exe	119
PID 1012 wrote to memory of 3924	1012	msedge.exe	119
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121
PID 3384 wrote to memory of 1792	3384	msedge.exe	121

C:\Users\Admin\AppData\Local\Temp\1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe
"C:\Users\Admin\AppData\Local\Temp\1d98f1b9329d1bffe4babfec791d62c414cf4929c2d33becce5cb3723dbfcfed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK9dW78.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK9dW78.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qH2nT71.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qH2nT71.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LS5PO69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LS5PO69.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uO7hJ66.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uO7hJ66.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR76dM1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR76dM1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe593f46f8,0x7ffe593f4708,0x7ffe593f4718
        8⤵
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
        8⤵
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
        8⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        8⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
        8⤵
        
        PID:5292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
        8⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9237428319817435739,13329588464644553130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
        8⤵
        
        PID:5608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe593f46f8,0x7ffe593f4708,0x7ffe593f4718
        8⤵
        
        PID:4304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6366533327948723052,7516738685747986008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        8⤵
        
        PID:1408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6366533327948723052,7516738685747986008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe593f46f8,0x7ffe593f4708,0x7ffe593f4718
        8⤵
        
        PID:3128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3396868404368691339,11921065789586593459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        8⤵
        
        PID:1792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3396868404368691339,11921065789586593459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nq9629.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nq9629.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b810b01c5f47e2b44bbdd46d6b9571de

SHA1
8e3d866cf56193ca92a9b74d1c0e4520b5a74fdc

SHA256
d1100cf9e4db12cc60cce6e0e2e3d9697e762c219f6068eb55a1390777bf4b45

SHA512
6bbf900b2f7614dd17aa6d5febe3ad1100851e2309ba2cd5219c5aa5af7bf830eec2cc88071d37987aa7e3f527b8df5b2d85e8b21b18fcb071baaab1a2eadae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfec09f67af22db0f6cb0fd3d8d77367

SHA1
8c2fa2ba6ba67b8d4681a62f3e0479c6b80bb34e

SHA256
7a6db88067e6b2d35496fbe93bbd94df3f2401796a68c62af89f44f3298fb1ad

SHA512
c3532af9a6b1d91050b916d392ec7c86619a47af9459204ba3d7ce3cc25fe365db9f285f0b4308e16cc0af3f727f65d400bcd54eac4783297faa6146b4036188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bebb20433d5cfeb8267ab078cc5eb7b7

SHA1
e927836760cef77c9c387163113e333554cded14

SHA256
85f50fca94cb57cededbc6a94f61a6e4260cdb1824fca76f6d5081bb569ba280

SHA512
21d4d24a49ab44fbaf51ec8d55b12bcca3df56548479e0e9f5b9f5f71eb99e05230ca675037ce208d4c6d4067ca6c176b1d8446791450c4e65a23fd5ea7dd005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
eccbc8f3f127ec4a9191ac7629d07f74

SHA1
53247d37168ee876581ed433b4df7f1423bf4a06

SHA256
26090bab1fea331f50df06a8b13985ac255ae76360de8ac14f87b397aff5ebe6

SHA512
8bfaf7d3d8e150f61a89f84091bb47bef1a07502321053b2a5a4cbe22a63c3aaea142bcce0de81e61ef39db96dea0f1b249d4b50369862c69f2c8c675b1f04d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b8cd45b1-a43f-42d5-b649-9af992bdb63d.tmp

Filesize
2KB

MD5
9eefa27602bf860c49f023feebb5a4da

SHA1
ffdf72e42500559662bc285bad3c53c4ba7e30ab

SHA256
8c4f57a2c7e70c04bdb2e1e424cf7acea8cd93fdce7e53e462af430377100f9d

SHA512
98fa6bbc54ee733f5b5b38360f017c2cf9d7d21cfc2e29b456fa778c7c61a208ed8ed153ecb4f709cec42a5f3271c16062a6415ef346783863e08b010323f8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK9dW78.exe

Filesize
5.1MB

MD5
4eae750e98d14931f99125590f2917b4

SHA1
faf22a00179247339703dc2a84765d8d78fac59b

SHA256
957b8bdb3ceeeead29492cc360f083a611d66f8241e5d2f7aae52d6ad9cf9410

SHA512
1a93b8ae4e4769508c8fcdf6a2a0f736cb1c743acfe94d955e43ef0191eb6af54724c81f3dedf384958beb3bbcd3828ebdd1c9ebc8a3105accbf30080b4e950e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qH2nT71.exe

Filesize
4.6MB

MD5
c0beb926fe2f0f6ee19727aba97f0451

SHA1
27be996335db3725f685ad7f42fec80b850b9783

SHA256
d0319e76b481c648daffea7db3b229a11c18973207e4b08140735de32ba941a3

SHA512
cb27a83f20d07a52182db399cedd7b2a07fe23f1603d6ba96ac51b4ffa84e601e893b8c13d5b2024acf48070786c465d6c0b2a35e3c155db6f7c4d8b88990896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LS5PO69.exe

Filesize
2.1MB

MD5
99447a50f7b373062baa8309f72228a6

SHA1
90c0f3cf336fa4402d3d59a4c917ac35f00c391a

SHA256
f1858a0da43c84460f0957f4103bbbd82f5df68d2c45c700de2df62229bef5eb

SHA512
12075eb20dbfc6e16f860195653c8b0c0da46aa9795dcdf901f0c3b4dac1b63fe90c3434539c48a70bb8c84ffdfa3aed31428b8808e95c1cbda2f1d28d48ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uO7hJ66.exe

Filesize
1.9MB

MD5
fbfa038e3af8a75aab434f445a73f0de

SHA1
33ac12147ad75140be2e5c6b08ad19e422f49e58

SHA256
086f97e6f2695a2a4990ecfb3d369741754c6572ac417036d66869c68cd9653f

SHA512
22bd5e75c3f1411ee7d128222a913a9bb7028cb5bc793e38ce7080c1c3dbba0db1c0640429b6afa93d6a2a6987b1967e01c1f2960e972e32ca3e5eab160b2646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR76dM1.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nq9629.exe

Filesize
1.5MB

MD5
0bf078f324f56eb7e101bfe069765283

SHA1
56f2b54041b4a0208e2cd3cafa1bdf77ccee6a2c

SHA256
61db5b0e9da6eb351d3d3199987742583ccbd70805dcdea7883798aaa7b3b1e6

SHA512
c4f8bd74ceaae24cebdc6a7332ebb53d774953aadf8b9f883f18d98e6055c3b17d3b4d54fb83a647d3fff67f26541b4025cbdf13a218eb0a497ed7d8304b3cd2

Download Submit
memory/4316-38-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/4316-58-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/4316-128-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download