hxxps://abdo[.]digital

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://abdo.digital

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2156	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
1472	msedge.exe
1472	msedge.exe
4648	identity_helper.exe
4648	identity_helper.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeCreatePagefilePrivilege	2156	explorer.exe
Token: SeDebugPrivilege	432	taskmgr.exe
Token: SeSystemProfilePrivilege	432	taskmgr.exe
Token: SeCreateGlobalPrivilege	432	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
2156	explorer.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe
432	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4976	1472	msedge.exe	84
PID 1472 wrote to memory of 4976	1472	msedge.exe	84
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 1408	1472	msedge.exe	85
PID 1472 wrote to memory of 4336	1472	msedge.exe	86
PID 1472 wrote to memory of 4336	1472	msedge.exe	86
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87
PID 1472 wrote to memory of 4280	1472	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://abdo.digital
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6c8346f8,0x7ffd6c834708,0x7ffd6c834718
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4010566081814292852,13309125678542641270,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
db29784b1764d1eaf412494d75f9f199

SHA1
ff3ff380795b08ff4c8e59c8434b39d5c437dd68

SHA256
4206c7584a19dbafea00223520112823707acdb323ff77a511c8afa3d16c4ab2

SHA512
29a8af2a60aca8fbdca73b8e92998623828c7b842acb1aafe1967bde0b5bac7cc57f83346a6d1326d4869976be684156d909a889601d25be325b109205c05bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
998B

MD5
bbc0580626186d08a3994fc0c129df6d

SHA1
a350df735bb83157cda679ad7c1659e4e083795d

SHA256
404bc4e4512b5b03e2414ebaf73c3c29e06801b2d13000f7769c8a4bfe35e234

SHA512
6fd78cc32eb31b42bde69f2333dd4043e116c5c4cef44bbb032ac05beacfdb6325eba7abe930d7cad0a5665c8839fe086eba05f1a37e7124c30f5bd748d16c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfbae2f7e5fb128ea325226e1e13ddc6

SHA1
21b643fa9314efac27b318f8a1ccd046dae0a201

SHA256
3430e5ad7127ecb550158f06fbf09315ce1f868a039b9b9837b711509d132df3

SHA512
430b6cf6a867f3314235f6e8401a5a53f6007871ec0e8b50d3c7b4d3a8868ced03d092c773886db607c97a5ca57b486c7762fe923183b72d2c884f4c08025311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f11146e43fec7e305a623be73be4f21f

SHA1
a9a8ecc7f0edb471ae4704fe29209a121577809b

SHA256
7486d9fc43d0048b02006ecb3d93f65748904fabafd49d352ca66afd32587107

SHA512
aa9d53927850fbc6532b3a92283e48db7f8884dc1c6bed64a114674dc8233a35de47490e41a908b06a7d0eb608e3d7a1ddd63a522fb509c20be28b30b91877bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d44dc58e08c6786db7dc027db0ce9bd3

SHA1
5bd0c393df949532603d2e55b496aef5735613be

SHA256
74e83626f6efe07444b2e27a8e8e109fd91079f1f1e4cdc38c7499cd4dea1996

SHA512
b9edc231677505979f072111b850e30d2a54ac371962a03a633bd32af2180bade6ca134cac47e9298c4201a52f6f197c531a0167a1de6088b990459283406295

Download Submit
memory/432-115-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-116-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-121-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-120-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-122-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-124-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-123-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-126-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-125-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download
memory/432-114-0x000001D9E5310000-0x000001D9E5311000-memory.dmp

Filesize
4KB

Download