47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEmsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1576 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3584	msedge.exe
3584	msedge.exe
3228	msedge.exe
3228	msedge.exe
2920	msedge.exe
2920	msedge.exe
804	identity_helper.exe
804	identity_helper.exe
5476	msedge.exe
5476	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe
3228 msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmsedge.exemsedge.exe

description	pid	process	target process
PID 1576 wrote to memory of 3488	1576	EXCEL.EXE	msedge.exe
PID 1576 wrote to memory of 3488	1576	EXCEL.EXE	msedge.exe
PID 3488 wrote to memory of 1684	3488	msedge.exe	msedge.exe
PID 3488 wrote to memory of 1684	3488	msedge.exe	msedge.exe
PID 1576 wrote to memory of 3228	1576	EXCEL.EXE	msedge.exe
PID 1576 wrote to memory of 3228	1576	EXCEL.EXE	msedge.exe
PID 3228 wrote to memory of 3944	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 3944	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4384	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 3584	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 3584	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe
PID 3228 wrote to memory of 4396	3228	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://isols.co/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=15488836
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8965146f8,0x7ff896514708,0x7ff896514718
3⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,607343163495678217,15312153489452021155,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
3⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,607343163495678217,15312153489452021155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://isols.co/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=15488836
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8965146f8,0x7ff896514708,0x7ff896514718
3⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
3⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
3⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
3⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
3⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
3⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
3⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
3⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
3⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
3⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
3⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
3⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6637920512803701333,2755181640820801292,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
44ca6a255ae3fd9ec0aa13394872e74c

SHA1
1d26f490c0b2a8929343f2a27106057919e735a0

SHA256
fc26883f9300cac9ca07adb628281c3a86f2298936c2250096bb6a1822dcacf8

SHA512
88dcb0cd3b871542bcffc2787ee939199c57f2adb350939088807e903039c3264b0d956fbfccbc06302187d4849512bf14df847152c295d2d873cf1e9cd699bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
176B

MD5
d73f11a47cead40e325cccc9c11edee9

SHA1
79be7f4d3bbbe2a11307e8d5eea988c1f08f7687

SHA256
72a7f74891e1209cd3fe322441dcb150a17ed92e5c993699fa2bff72168d3c1d

SHA512
0e947f05f3bddd8a8c0a3f4922ffde01b67fb1656861ec447207c24a8e4e145483c4c8057bf3f3ad6bdba495afa693e43d2de499a01f49291fdf566cafe876b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3ec7402f74338cea1029a338d99d9a79

SHA1
0c3aa98e4240a5b352c45e7ab989a7fca025ed18

SHA256
babe6d4013e2cc2dc4318963f49b99a19b452b8d469e544e7c310e085b42ac08

SHA512
1ef52292a636e5433a30f5618bd2752264a69af80f210e73924d30e774989c05f7300d459eea94c6946c49d7a81a100ec6e3d2050972b6875def8abdfe850a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a088ef1e505d749672c8188a73926f5e

SHA1
4b6d03b0ea1e6fa8399ee83a7431f9fc848c3c72

SHA256
3fa6499427b67885980004e63081596fae1e4267ccca9409e892af6b5d681395

SHA512
c8dc1547a91abbc7a6dd22f7e91e0f7f5ae1d904c5ad458bc0de428dfddb3b7023b8bb3953b462b28fe9fbaefd36c14ecb5bcc85b2800c3ae03b8b20976f9f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
f5a84dd08c8db508f18537c276f884b2

SHA1
f5658a05138df29a30cae64c700b4c2d03d2c45f

SHA256
7f0518122e085f8c56c70dbd350e77fad40b7834c336e525365fa6f2f58c36e5

SHA512
5dcfc8669764dd04b261158eeccdcff2df5356c44b5c8c3b28308ce1bf6af6607d2c53dfc00fa2c501b1fd8b1516c57da8d92e7b5556d6372f72b4140f7625d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1e5da34f20ec2dbfd5e65c0d57fced39

SHA1
470e8190a06f0bf406f9fa12484602e3f7717745

SHA256
77c1568331a7fce9525558ef03528604e2ba0f8865131540bd6a136084033960

SHA512
46558da587890a2bdd2b9ec14cacb8d954905d0aeb3665e94821c4871266b4bc7752f602da22cb7eef2847e254edee9b99253a6e3f435ae88fd2c13c7e74d5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
f62ca9abd4be4b780e397f0d5c7127ca

SHA1
538a66efca14b06375e238471b75d39dfcedb789

SHA256
1845b40bb1165264783801ed872445cb4cc25445eec74c8a710850ddd8d2b3b3

SHA512
8926c2d61442f24a7123a952033a950082f80287c51daf94d2c192e3c2a35bea9e7f34b4b6045f8fab3a19084ff87722457a605d98775560cda0bddb61b628a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
5fec5990243d0308ccfb1790c85d66bc

SHA1
6585ce480c16d37af8ea5ef1b68e6d3f4b401936

SHA256
a5e463732ebbbe32e24cc6b6d066ec5071e29eb49311a21e9fa50a822c81b998

SHA512
f76bd720717b9e9ad2d341af930df3ea5db62dc839f7b6b3a1dac002e14c9427444f98d827c08e9852e0fce6d794da83215a7740851ecd5658c48d56312c5c08

Download Submit
C:\Users\Admin\Downloads\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion.doc
Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
\??\pipe\LOCAL\crashpad_3228_PCSPVZNPNSCVAYXC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1576-11-0x00007FF879D30000-0x00007FF879D40000-memory.dmp

Filesize
64KB

Download
memory/1576-7-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-19-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-17-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-15-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-13-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-18-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-16-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-14-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-12-0x00007FF879D30000-0x00007FF879D40000-memory.dmp

Filesize
64KB

Download
memory/1576-6-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-20-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-0-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1576-9-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-10-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-8-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-5-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1576-4-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1576-3-0x00007FF8BBE0D000-0x00007FF8BBE0E000-memory.dmp

Filesize
4KB

Download
memory/1576-171-0x00007FF8BBD70000-0x00007FF8BBF65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-2-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1576-1-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download