630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc

max time kernel
140s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02-03-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js
Size

475KB
MD5

b3466ea07dc83fcce7eeba0dbc1c8aa6
SHA1

1aeee7429327e3241fccddd4b2f06b8e6fb67ab8
SHA256

630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc
SHA512

f8b4f246112071a91c125ce6384a0b86d6be1b9631801e53e9e4f2b8027b4b5acd9aedf8b4fab7c7dd69e1729f1ef27b2aeea1f940ffceaf8f2abd320fbb57e2
SSDEEP

3072:VVnNs48OW0kT97kFUxj3mKMABR3R7DyWvEXNemiS0KPMID5whT0bMNj69wrVRs3f:nbkw83zLJtMtwmIj6ERCcXhe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

77 raw.githubusercontent.com
80 raw.githubusercontent.com

flow	ioc
77	raw.githubusercontent.com
80	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{C90436F0-70CB-4612-A515-537FA361CFB5}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 86024.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ-Destructive.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
1208	msedge.exe
1208	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
1860	msedge.exe
1860	msedge.exe
4324	msedge.exe
4324	msedge.exe
2568	msedge.exe
2568	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4820 wrote to memory of 4792	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4792	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1676	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1208	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 1208	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 2032	4820	msedge.exe	msedge.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js
1⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffdea503cb8,0x7ffdea503cc8,0x7ffdea503cd8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13282833733714777463,7061189573004626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
99fdf0dab34409a1479aeef6bf7eb219

SHA1
57985f20c2d0d8a7eebf72c1494f29364a120e07

SHA256
869c84d860ede59877d97212959a7b6beb05a154a45d0fac3bec206e6f172236

SHA512
9e1292814244dc79ac297797ab981f689f3317bb5bf5a186c21a79fb63fb338e46d4ff5c4a080121e2f6291f26c1d877b948d2a966971e6ddc2c4e8c50aa6cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a3a42ece82c487ae6929ad097b9d1397

SHA1
25fd3704b8427138d43ab31e86d925710ebe041a

SHA256
7416624bdbdcbf7c86f7e7ebbf4ed8625068eb888fbe5424824d88166b657655

SHA512
05db849335b577057aff030c75d37615c27b67548bf0492ac78005781da36a180e627cb4e0c7ec040afe737d66c810764ca6ebf0bc55cd9be19a79a8bba3cb17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dc032dc94a7cf5a357527784106b7ce0

SHA1
281e4eb9642ba0d9f53742619c080727c4d05e93

SHA256
3e595a5ad984358fd77b48c38aa91975bb6bc77c0c19b2703613a5b00b5a93e1

SHA512
31849339cc186388246acddfd2e3280336e6143a359c64befd9a135e8fd896a76b3b99a1740067368d2df2ac2fb936641f21b08bb60f3547b77f0e3b822130a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
863B

MD5
d598ef5c3b3376744946b18da9ab35e1

SHA1
e486798eb5b5fd6f13b08a7dc058cf2ac511cb59

SHA256
d74ed405d3a93c031a85a3c2a64ef1276b33bc80b68181b3675b967f783f481a

SHA512
0f37f4bcaf08e1d52ef4e91346a6a5ca535ef582ba7b9a9e72658294cac5c75ec2ad8b1b355d961d84aa26ab7f36faf2881ea617b73a9e1ace27667826dfd7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
863B

MD5
54819cdad40120b7a9d5005f257a1294

SHA1
f3999505da07678bb0099c3de9fabe13ac573020

SHA256
01a2df5ba074010faa74bcfe3d08b9b854d467d2710525528ba4781544af149f

SHA512
f126eb3d52d4a7edc51ab2701f1c00a50fb386da142c125bbc435747a8a23c3260be05e497b4310d57bd2a037d4973d041507df43c40839a25e8fc5fca070407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd8abf904af9077b15b6fa7fd279decd

SHA1
4ba30bec2a9f5e2fed32251ff0ad4c9eda6e4a33

SHA256
d18e70973203d163f25d72129a39c66f6b6c722ddedaf570aaf29a7f26e42832

SHA512
f9a2dda7def75b513aa37440185d728b91fe834fc3dac23df4f37b2bbac9c777e3bf3ffa1105c70378e40294f56ad6b4aca32ecd93a23d509cd8402565091c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cae628b19fe7aa983da2391017155fa2

SHA1
d5ad61e48ab96a1fee32d28b3b4a8e129bab0cc6

SHA256
9682810533d11997ba9e2221b2f4d1f29dfd628335f6026282dbfe3d779cc7df

SHA512
122be960b02d2dab9331c81c8c495e6e76e9a0761dbd822ba0b816773ddbf851a82ca6bc7121e50297663f393e2fbf5058ad7ae94ac74fc3fdbe653866fd1bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e21ccbad27be829c2a573c51f53da0fb

SHA1
53f4d9bae4c943a4f318afe4890607276d72bf7a

SHA256
ee9caa3f5c0010b4a67dd303b47484c36f391a9a98f44fcaae2753fe563cf74e

SHA512
0a9bb6c2d2b2e833877da2c6fb1d341b223088f0a545b56f7c6fdfc346d72a260c5313f81912edd74c3837ebfa4ecc83b39cd96f6652b50b5ef205653a2d12d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed116484ee5f2f95ee5f5caebf07c1d3

SHA1
85338339b81271f4ea4c69a0ef28b5b689dcb05a

SHA256
4e27a77f46541f1c996401845ef4577bebe6fdeca308485a4d01ee4b2336c10d

SHA512
1c07be7ed0b045755c7eb1ef5f1bf4916fbeb26847a53064ef96d8a75b9ec126dbedc0b48679fdce480775a0d824c1782fa1ada886e7de9549341febe2defc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f28417cb1a5a695f011722a23e631494

SHA1
94a173ad6996342faa3c1339bd1f07363b913eaf

SHA256
16cec356fe7804a04ebd6732e9e112a11aea553ef53e9f9c3f1ea8434766fe44

SHA512
807baa58e824f259bb9bb3f028c48810742433ba00a73f02791d68c5a2560d20bd58b6a8ea66b74ea2b5facec64eec675adc490bdf1a94d85b464b7426ab0575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af34442d88b101c1ebfc2260c0436f58

SHA1
20ca4f2dd8127bab1edfe8e66dc6b4196eb508c0

SHA256
44836e6cbb2a984447aacf51b7af2ea6563efb8b4d7fb1198e48a2abee33df8c

SHA512
64132bd1edf372eff0db3b26f08b08e49106902c93b25ee894ace9dd8da8ebc942e5f636161cfe94570c967d5140d334d5dff95fac6d934b7a379f2e31ce41f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
580c5ef79717396048a4df43a640b05b

SHA1
5f06a1267615192c520c34fd749deba31823e4ca

SHA256
9106bea8218c6b5709641f1aa24f32ffde22f80d67d6a3c7c9b2a9da013b2080

SHA512
607cbed4bbe6e2540ad24196a20b3cd8780f085cd5817ad6778365df2abe6d1ded5e581ad04725e5a9f6f1a1268d315e41b39ce2dd6f405e5ba0b9941db7dfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c85b33b7d028146c03f4a4a8726d7a3b

SHA1
1d0b7f7cafb6f472131cdc88e4cd732d8810ed90

SHA256
56ec803816dd46c138c1e1e45e35c104b902d5dfe9ebe47a157c01d686fd154b

SHA512
68c5a15213c3d1b1d1348f4718c29fce3fbd543274682de1a02b2d1a7c0fff1f565287c54691accf3f7662e19e118374d21f7fb146f29022bcaa902982809307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
152f557fae1af177dceec924d87b0eab

SHA1
8221088ceaaab6b7dffbe644a90099d653f485c6

SHA256
f0139166ea75ee6ec41b314f048243d4ddaaa5fb2d56932b4aaa97bca9ee2487

SHA512
eb1eb3beb0401405b4e15cb72e8295b48f3e337e15c8b2001036963d2b7c88137ece0947ba02b5eb53e8979f60521743cb500e67e2988ab535402b8623653a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f8d2417930f3bee2e9fefd0e5e110e3

SHA1
a094c6f88f66f4aba8c988d119600a96e8e48682

SHA256
998ecbe8c9817ff41f771baec3653f9b5b0d33d60c35327c14f40c3e9a04291b

SHA512
ff7e3992570881f59af46466cbe60b22f7f1cad26e2d5cd81a139b3ac45f0edf6f73f8ccff682e238c1781d879c52a6f379962d0efea22c51f63d123aee445ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c3b28a6c7cf44e208de007e0a4801b5

SHA1
0763933e31fee4a8b27cf1c35213c6c629eaf4ab

SHA256
09a37ef6a6d4ba453f858781d50c128f5393c02616dd4d8eb8bf37282dd10e73

SHA512
430a43fe57b7e7c0b37b0f04d49b8ad115c8e240f585f74e9afab87e67f0d294ab6810f3a8e6ed261d2c5194f7b06a94c087370dc4624c2f5611158596c2785f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46f3d0bff0d90b6555889f56bd33dddf

SHA1
5d47ba9570f6640edbec55539c0de0bff8d296f9

SHA256
64d649b34320b181de386bc9f662d345b9302b31ff9f96f4428f9aad3abdc4b3

SHA512
3f86275c9d80e9e3d805e07cab8c288f3a575c57de37efa59431f447672ac3b5987ad659649616804e639b62347749f686c611581d1726b3045a99d27a705e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
672c29afba12f57f9e26739c92972510

SHA1
b551c5812cf23f1f0c1877172137c205a4e97264

SHA256
805517037ecdcce40595443f8bbfc211c316f92e379823043ddda39190148c58

SHA512
100ce42402888c8a1647304400f6d2f3a256d723e4a4c9719a2d7a7341c020c4555df808b8991a875cdfda2fdbd2c36216f7b022256a2501d2eaa37e47559581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bc27.TMP

Filesize
538B

MD5
f8600745d2a0b60f7596effda22d9c74

SHA1
c18d5cc1e6ca29970e42fa47ba270aa395502d21

SHA256
0c5fbcb437d757fa68a1b4cfbe014adce7c52b07b1783bf1250808a293e3ecd4

SHA512
80635aa23bef000cc21a645f5ee3f5a1bfca67bea2cb4075eced73edb827d05446891249f9faa519eff999829ba83f0d643855272d065ef802e94d21278977ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d03d2b5c56ad35c0ccdd0c30387dd81d

SHA1
edc27838503450b39c549ebe1dcbac378488c36d

SHA256
72d2bb589950ca1dd8cd03b6e9b510292e9ee723bd45356e5749daeac228c891

SHA512
e8818151b8dd6d20948bd7fb68e3f1c713a8b378fe10fb9ef8e533a4bcd4e4738257c3a93738c0b6f669f8a87f29140157418063fabce0984bc17d79442021b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
010e0ba1963dce8188d83add25165cc1

SHA1
246ed73276146de22e184e116bfaadc7c0d456fc

SHA256
a23cf12693b52773c269b481ef2ff017210419b65ed747a46852ced4cbc04a7c

SHA512
2af0910206b58928a6a0bc88eb265b99e630bbb2b279f507617f3eafd1c391e3c433f4cddd1445ec03ffd8d383338dcea4e644ac392283623ecd32bec4978f13

Download Submit
C:\Users\Admin\Downloads\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\MEMZ-Destructive.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_4820_FFINFTXTALULTXAV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit