bf530d986a3152b576d36275fdadf0f9c439230fd0f446d1296b8380cacb9279

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Batapro.exe
Size

738KB
MD5

71b81937a63149221b0f1893673feb60
SHA1

4236ca0e2f876da5f52e266bf711bca21a83e974
SHA256

bf530d986a3152b576d36275fdadf0f9c439230fd0f446d1296b8380cacb9279
SHA512

16d221307fe845bb1da4abbcc41a688f0cd2caa75495990e3c120a9e27ab63528b0099d1fdf09fa931eb66eff675797b2caaef202dcd82fea2fed06ed3eb9284
SSDEEP

12288:TAPTERIP7QBU1JanUy2p3BmW1ko01b+Hkfg4z9jsTM6M+3JXMJ8ePTbn:87sU1+UyKmokL1KEfg4+w6xWJ7PTbn

Score

7^/10

agilenet

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Batapro.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Batapro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Batapro.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1984-1-0x0000000000100000-0x00000000001C4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 pastebin.com
25 pastebin.com

flow	ioc
24	pastebin.com
25	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Batapro.exe

pid	process
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2356 1984 WerFault.exe Batapro.exe

pid	pid_target	process	target process
2356	1984	WerFault.exe	Batapro.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Batapro.exe

pid	process
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe
1984	Batapro.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Batapro.exe

description pid process

Token: SeDebugPrivilege 1984 Batapro.exe

description	pid	process
Token: SeDebugPrivilege	1984	Batapro.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exe

pid	process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1604 wrote to memory of 4044	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4044	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4248	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 836	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 836	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe
PID 1604 wrote to memory of 4184	1604	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Batapro.exe
"C:\Users\Admin\AppData\Local\Temp\Batapro.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 2120
2⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa502346f8,0x7ffa50234708,0x7ffa50234718
2⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
2⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
2⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
PID:344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9028889688671977445,14326782906899447878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
912B

MD5
4187118b120485bdc35c7984f0879892

SHA1
57aed107987e0b5a3fa17889a9e624b085993d2c

SHA256
582522a0be46c8f9061a49c4218db2f94a0fabfbfce5efc7e47eaa7421c06f10

SHA512
06a04e1d8d652e949d67b591a7601ca0e5e4cb0e2cf9c2fd2cedbe557960798b1712aaae384d1e98f4c7818234b7848ad62df4459be999c4c93de72fe68cfe49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ce394b7fb4243bc1b4e7e65fca97d2d0

SHA1
56c11914c2861158ebd464a405c1b3f5a9258b2f

SHA256
7406e7be5007124b397a7ad6eb0657269d84b61db3e7f28908f88a9c0826bf1b

SHA512
e2191a56b2906264239359246d0510e9337033f61e315b183f80c7c9f8a64fbb894b1eedf46f3164cd0e783ebb2ec91a692bcd149fc80df129067a674b260452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
377e48bfa6da482de44ccffd56c0c00c

SHA1
83f88f0316dbb9a8bedb61094fd23bdfdc785fde

SHA256
0595953c61d412e3af4064a13c5df537a00a03d097b76b4001aecbe87703a98c

SHA512
6df460dc78c231cb567ee8924565dcc43d11e575cd3a1757922a537bdf2ec98ed5858fa410cf46afeb65c39831451f5990f3981e6ed0c684e964998c29bfc4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ed9b5c3ce607ac21a8ccb358b0ac65e2

SHA1
546bcbe00fda36531161085265d65a5d19dcbb58

SHA256
58e9665e8d89c540d14c3173b1fbaba510eb30f7feb86714007dee2c678ade17

SHA512
c8b710898914c67649dcf9dcbada2ac67c180049aba7425324cddaade118344b6edb658bed7cafd7d1f4370d467e196923fcb79e762ff8067c83316ea137510d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
a4bd6bd232eebea02be151b79e698390

SHA1
1c32728233c36fe6a58eccdf0c50407c3cd895cb

SHA256
c033aabce4bd40b28f0ea9d04b25ed2bfedbe44ce7867cb7e4fef843019ddfe6

SHA512
2b272015a10b2ba696237b83b1c33a02702b56560f74d623a660940c462678e5e54755054cbee72ba95cb6e50e5e6b06161afb45aad61f924c4ddb6f7a9792c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
20bcd2338fab8df6ec227eb4c264316d

SHA1
61ed2077cabe37c6cc42d85a9199bde28c7bf7e6

SHA256
35f02373c7f2b74765c49ec28c484cddcbb2f9efd8fb7b36e8e9c49b1429fa62

SHA512
753d09c67749d3aafe8c204319b801a6af51c443cc9df5bf1d5e82b92caab03285e47045a7d15755e63317ef2cafb131610c06a7c8b0de54f78c6a7562bfb721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5832d3.TMP
Filesize
48B

MD5
acb709c4cb39d39ae521125e0ad57606

SHA1
5daaa7f0e378153c1897d427e1c3734d145a0f19

SHA256
4e44788939e403c4c71bf026eea1fefdc6b8b0a458d954d14989d5292c851014

SHA512
c21fc880e4f672d06fe008bc8070ee02f3c7fe5638bbbfac5f2e448c32d45625161e639b977de9d9758caf5940fa62a6e06717c1edc97d15fcd0cce7910d3f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580460.TMP
Filesize
370B

MD5
d9bf8aaa6ffeb462791dcb768b705ab1

SHA1
be23499ded413c9bddbc3e5ce77e5338e567112a

SHA256
cfcbb94106d9a35ebe5ecf7ca6f96a87b91ab8ce808ae55f3d9609c7f6ce3265

SHA512
c4f89d1a4c436484e5cb2319ec73efe26d7758c7f2ec4f18ad59d83704b85aceb7c16e01f7de8eddfce38a2ae1908e3207e7b9cafd94cd4fd1923f6c90b91405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9e0a5b9-c65c-42c8-b365-029df88dbc38.tmp
Filesize
1KB

MD5
089fde2b0a9c8eb23335b443aa22817c

SHA1
bce7d5e8cdd70996fa710e393ec4266685ba85a4

SHA256
ed4d2217e166386f9544ce51ccae946e70d9f6ff2501a67824a173be61ac6c4a

SHA512
a00f1ea6e36f9158a6c25534721f207b5501a8425d38f6b3eea25a3e6bb510b3c816fddd7af6ed14cb47c48341c65d401c6d8a6cf58d30f5ba01fd814badf390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
412b5622f8bfe8df6c818a82482578f2

SHA1
85b982046447ac4fd9cc87f70083ec68ba339566

SHA256
345c1a849aa0809947f23309ed031f224e26b26fabe25692ec345aa2a4b85467

SHA512
dbc726b3fef5eed6962c131448104f460921dbb7f1421cf5a780201b63ddc97d8d7aef9393820c0581e504ddf3f8df099b1fab22c7b2b2841be595689512e029

Download Submit
C:\Users\Admin\AppData\Local\TempBatapro-QDKVG.exe
Filesize
17KB

MD5
dfd3df2f877d2d406d9151cf77a3c358

SHA1
b46757e1eee470dbf0b1fd5e9e72183edad90ad9

SHA256
f284712c9b095a987c6400062a9a7bc58ee8ac6349944337bf8230f28c2d2792

SHA512
99a76c018a4c120e4e6825e4b7d9f76d5b337ce5e7328a4ebd1c92db749d8a50f35586df3713a149afc6b34bffff8a0f7f0ca04acb4ff47261eec5d280f9810f

Download Submit
\??\pipe\LOCAL\crashpad_1604_YABIBVQKXPSSUHCW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1984-9-0x00000000063B0000-0x00000000063EC000-memory.dmp

Filesize
240KB

Download
memory/1984-2-0x0000000004A10000-0x0000000004A9A000-memory.dmp

Filesize
552KB

Download
memory/1984-3-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1984-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/1984-19-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1984-4-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/1984-8-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/1984-1-0x0000000000100000-0x00000000001C4000-memory.dmp

Filesize
784KB

Download
memory/1984-7-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1984-6-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/1984-5-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download