hxxps://github[.]com/Endermanch/MalwareDatabase/tree/master/modern

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/tree/master/modern

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
54	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
5080	msedge.exe
5080	msedge.exe
1148	identity_helper.exe
1148	identity_helper.exe
4144	msedge.exe
4144	msedge.exe
5984	msedge.exe
5984	msedge.exe
1332	msedge.exe
1332	msedge.exe
2812	msedge.exe
2812	msedge.exe
2936	msedge.exe
2936	msedge.exe
3076	msedge.exe
3076	msedge.exe
4136	msedge.exe
4136	msedge.exe
6112	msedge.exe
6112	msedge.exe
5372	msedge.exe
5372	msedge.exe
2140	msedge.exe
2140	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4920	5080	msedge.exe	81
PID 5080 wrote to memory of 4920	5080	msedge.exe	81
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 540	5080	msedge.exe	82
PID 5080 wrote to memory of 4688	5080	msedge.exe	83
PID 5080 wrote to memory of 4688	5080	msedge.exe	83
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84
PID 5080 wrote to memory of 3404	5080	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/tree/master/modern
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ec946f8,0x7ffa1ec94708,0x7ffa1ec94718
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5925741645244166286,9905899439849992094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
1.9MB

MD5
809d0fb04beeba2fcd97520adc64de5a

SHA1
a7aef4e35940f7d4e3bd45860e2e41a2a50742b2

SHA256
5d444a9088d2bc42d888d97d84bc74001c61c4324bdc5611e17dba3226e1ac1d

SHA512
1342715472635bdcc4fe3823683dd3648b4c6e1bca5be37a838db2a47b2dbc9813ea82364c6cc7f2e9db4620ccc690fee079772e058d1bc59791534a44fe0a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ffd16a20e03f8d9bcdf14f96e8500ff0

SHA1
a27d211898e662f0f96f72010a5147534af0a142

SHA256
92b62ba5f04ae80b72de55ce4ecca5e3c984e47c0a811f6f7b310e6033e7fa5e

SHA512
bf2699a7b645a3038a5640d6af4f6ba94970abf5b7d2297bacc84904ff4f9453068db4f9f117c17dfa6321fb4ea399fc96311e7fc945ba40b70a655901b5033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
892b310d0041dd7b6dcfd02057998118

SHA1
098143706500832421c99d1aaa4fb383191bc45f

SHA256
48776f6a19e70ed1a42a72b869b2713b79a7d3bbaa6aeeeda39c8401af0613cf

SHA512
64ccefa9fa465973e76422493d189935f45df8771b416a3780965d2911b0668221bda7ea140c2e072988a71796f01262780a78dc58b14bcbb3c59e52ea6160ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e27e423f41831a720e7c6175387bc02b

SHA1
984d5c004a79b32e6ddad4973096b622e0890785

SHA256
ad4fa256c425993918527e43f706b131bb88a7609dd97353feb3e0964a635846

SHA512
b6c418e063842bd9b6f37f2e4a538ee6e736d2f953ac134490320cd274837636762ea0938b5b08c2b9dd5de4998da8b6499626038ed1a56f5cbcb1b7acf6437c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad96ff823fd9baf38d3c6d1fc9d5ceea

SHA1
70835148f69ee7da6dbaf42d43df5001a2b06aa2

SHA256
18be6c60caa25cbf35903f26e8db0980a1fbefdbe63547f3899b90516c7522ec

SHA512
45e05ed9952ea9f90f1027861f31b6ef3b80beece79019a1409ecd068fe2ae872575f831a99ccc6ac0fdaf49da8bed97b5ea43006425e11b69119e4612cbf029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c59f28f2dfe465c8a22201e4b130898

SHA1
2b15ceee67392c274801d83d2637bb8f0927e8f3

SHA256
2c2879805d11f1b4230ed21d0708c55f6586dd76b6c0ed28d8dceb731ccac719

SHA512
cb1989b2ee1fdeae7bca6a966e924d5660efe6871679cfcf3c0ed78356970b8926f13fc5cfa6664e788b11405ebe3d7f4e56d4d1999ee74829c3658dd3003937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
36ede10c4bb1dedbfa745774f6be7c6e

SHA1
3a5f8690b666a762ff7855cb5c0e6b3a8a368952

SHA256
7244876eb646c6a3907648d7cbc1da98726447caf1d52820b64269ecfa029b6e

SHA512
8484d549ebd7e8196b572c10ab0d43b10ff706381d7fb091a786dc1d36fa908b0c7ff2719a5a5e0a15bd749884d7aa9bf03834f3490e6c660a843420eac7e454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
21b9e3eb42d16ba5da62a51c143a2464

SHA1
0bc3d764b31d3ad2a6b7279b5938bde0674aa31a

SHA256
26cc0ab64e1809dbeb080e41a0d4c3cca7b4cf4a5afdec8c17b72a1ab158c69d

SHA512
81f80939a870f5c544420057dd3ced070cb7d5a4681614a47f7441c198470d0e72e49eecd89e32547080c15615404afee0d7ba55192c26b736c8dc1ee036a59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dffd1555060990f0ad8218f48f16bf9c

SHA1
428c72d5ee1b6abaeeff4f843d401038d93e6858

SHA256
45430e41152643f34463402ddfac7d97e62c2231e434f20a41fc45935bd94803

SHA512
328d706be36c678774a9aedbfeec30000da825784017a0c554f99f5ad8a87fc5a86584726749cde2bb251baec21b5f2bf6ca63ac1356fed6e788b81da5d6a4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9be6c6c411c334e206f27401f3ce8543

SHA1
c12df122428fd295541ebdf94f93ef9e369fc29c

SHA256
c64cc57aaadac92ccdb9755c133019921521c7ee1ebcf172cf00377477d860f4

SHA512
056b3a4b884191d26d953e253e06f34ce186d1d35152d9c4436fc96741e06c44f04dfe0284f8b765dda99e19a0f50aa6a09164c873ff4a39c6463df8701a1cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f8cb9f43a60fa17970a382aac09e6438

SHA1
768af8447eac6d1bae97bcfd007748ff640d9e94

SHA256
64a8e68aaee127311a67981cf12cbb94c01f80e6874eb47837b9fba92f9b3f4a

SHA512
3774058966614c366999adc80bbb86ed3ca7528c0ad2b8b123926dd215e5d2f8e5b1d16a6766661b68099c702838a2e1d1b9e5528d44c09911536a5361b4b366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578a5e.TMP

Filesize
864B

MD5
3c9f703f86cc8cb9d38245708e4a0d1a

SHA1
836d78dcce15f1ce5600b68242f8779699ae22f6

SHA256
758a1b8773395fbc54c6f0bcb4952fb9bcd56dd9f248115216d6b41bad536a7b

SHA512
4e92e9723af4fe05dd1ec559c1b6454bee62a1dfd26cde71aeb39bdf0a86e580596d8b2db421b9cb8de8abe53dfa087aa182855ab79698d56deba29c6fc38383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\fb5e3041-83cd-4168-b845-1b498b11e0b4\0

Filesize
10.4MB

MD5
a738400113275586174d8921f37fd510

SHA1
401522bb246062d7312639a3f74edbfed724e548

SHA256
cfe0fa13a6e81532a93f3a452efc99e54ff7cead0cf33a5a942831be06723b57

SHA512
9e775f8407a43382bfec1d4c101b789417c21b550751f78535b96f405da68c56b136538df90032d6adf7d39ea91573519b6c9c2f984237867ee726ce58a40550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba51e88798abb919fc00692352d6ec6a

SHA1
2f88e0aefeb628a18d1192d6f85123b4ec28a4f8

SHA256
a47e82afa45badf2e36bf5d129f7098a02c6218978f21bfe4755f5fb6693e70d

SHA512
6f4ceb4530939a9da98333e9e467af5273c460c3677e50c5be38704301f583b6db2afb7d8100a0be77e2ef71b4a1ae9d01e6669b4a131781f7cec1b1d4182324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12ee367239ee9305060cde02079d2eaf

SHA1
099703197641c1d963b470801fa1cb8aa6fcbba6

SHA256
ea52747b7d98bed4d88f3422a89f028ca239d14aa2bfd90e3bfaede1afc78216

SHA512
fcef0418d2c15d6e2f5a0dbb19bb870e42013451fff78b91b8c511ef6ee77e6cf591f8877de34d822312a60966108c5170d62c6c430d1fb43ca6a8fe41c44b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa99b58f67f471dc7f37f484107bacc7

SHA1
d655bdfbbf064d3c0fbdc7ebdfc762166dbed65c

SHA256
8b7cab89558f22d569ea4a2c91f5f2cdc3c14fb112456b5851b831b48b6f114c

SHA512
a22a0e59d870763f37d8537face10fb8329107f3575dda5d879fa51accc360de1b4b979a882a7aaf92023aac7be4b5bc9b4ac641836a97f8a4e4f592c032e113

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 646117.crdownload

Filesize
15.4MB

MD5
fa4f62062e0cec23b5c1d8fe67f4be2f

SHA1
0735531f6e37a9807a1951d0d03b066b3949484b

SHA256
a88edca3b030046fe82e7add6da06311229c5c4f9396c30c04ab3f0b433eac6e

SHA512
0ffd333dc84ab8e4905fb76b3be69c7b9edba7f4eb72cc10efc82f6ae62d06c36227f4e8ada4f896e359e5ffc664d08caf76e15a40bd17e9384e73842e845995

Download Submit
C:\Users\Admin\Downloads\Walliant.zip

Filesize
4.5MB

MD5
33968a33f7e098d31920c07e56c66de2

SHA1
9c684a0dadae9f940dd40d8d037faa6addf22ddb

SHA256
6364269dbdc73d638756c2078ecb1a39296ddd12b384d05121045f95d357d504

SHA512
76ccf5f90c57915674e02bc9291b1c8956567573100f3633e1e9f1eaa5dbe518d13b29a9f8759440b1132ed897ff5a880bef395281b22aaf56ad9424a0e5e69a

Download Submit