hxxps://portal[.]pavoscore[.]com/UnAuthorized[.]aspx?key=p1&key2=011cdcda-c373-40cd-9292-d5bdb658b359

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04/07/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://portal.pavoscore.com/UnAuthorized.aspx?key=p1&key2=011cdcda-c373-40cd-9292-d5bdb658b359

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3296	msedge.exe
3296	msedge.exe
3484	msedge.exe
3484	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
4568	msedge.exe
4568	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 2660	3484	msedge.exe	80
PID 3484 wrote to memory of 2660	3484	msedge.exe	80
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 2908	3484	msedge.exe	82
PID 3484 wrote to memory of 3296	3484	msedge.exe	83
PID 3484 wrote to memory of 3296	3484	msedge.exe	83
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84
PID 3484 wrote to memory of 2144	3484	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://portal.pavoscore.com/UnAuthorized.aspx?key=p1&key2=011cdcda-c373-40cd-9292-d5bdb658b359
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffda4a53cb8,0x7ffda4a53cc8,0x7ffda4a53cd8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,15459587230393249419,240170276546466979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e55267c0fbda9d8df06b42d3b78760c

SHA1
160676e944f686f75f960c30b0f3ff603467d5fe

SHA256
d03b831f28544786739b84a32aa015a3f760b4e0b26cb5777fe55f4678d6aa8e

SHA512
1a280b569189d3ce02b7fd9a53c0085f8f5a8a1f13c0f00c8aee23dfbd042bac5b2c0d3e64cc5a420dcca9a20bd1bc4c1be262343effda8f109de874cdd63ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
418d6ae7018df9202508b29666d4993f

SHA1
2fd78bb51a43911f6f27be12f93c8ece7a432736

SHA256
4a317030c5028d1506a634eda4cdc84ae69621e596278c935899aadb89be824f

SHA512
e47f9aebf117c0a96776ef48e2f7edce14ff08a63920ed899da695a1b1ec1b5e73f23674e3ac387e396561194d67e505f3417056214318f8c83af879754de0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
0ea65c8c2fb026ce4a64f7de3a4ed4ea

SHA1
f7869c4eb359ab09fb349db9565ac2d0dd17b137

SHA256
af34e07dbc0e0c68bfccfbda2a0662b8686be1443da6235a8d362e60bd89b8e8

SHA512
d09baf1aec10e8d3f1c75f6e1e069b697ddaede18fc588bc3f573a3525cdb8e3f432cd3a9eea9b031581ce4ea87f42e35b512463fede4aa5aa2aa8d98089f206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
658B

MD5
f945c6bb018a54d82bbf8b41941c4f16

SHA1
5e5a3114701f2c6824a4e7a862ba25ffadc844a8

SHA256
916ece46781ad3529153b655c4b880eef956e44d7a553dc2c5e131c44c7380ca

SHA512
64e89871f106557b8973ba86eb423e15e3838ed9fa0c2168af0d321255c544795a45a4edb933e5a7a8e9714360fac27c5193253ea54c14624fcb37d2a12b46d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a15e867678b4b60328380aa328eb740

SHA1
c276a4474b13e1a1ba6a856f57ba64f3c3d07dc1

SHA256
a1ab450e0d4fe8f97485d166afe6b6a8d0e86148690efd68df3760a55b25a834

SHA512
5df8754b247d44247e29d9670a237955a16a29bde927c0f823748e553f756b1c0f40c1e9321a0d86e11fd53a26b2ec0c2b29898f3a6bd3ddb02829b56606a16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16d7b76858f03b1242814912fda734cc

SHA1
d62533a09edf7db6ff44a2ce31b99adfd5fb56a2

SHA256
0d584fd5aba8fa56e82999e563d66c7ce28797b14c14049730b3e295739d4f94

SHA512
81cbec793b9597a3c863b198e8cb0a8904da8b5b3bc2e217635601af07df5a1a668d6d5d5267b3780c07460c092f099fed60beae75a97fbcf2321bdee70c7317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d6ac3455672a8b91d7a28ec8e23f396

SHA1
794e7e487022c715df785a4c0053fc362924425b

SHA256
86028200e0cb99f4ef5b6b825a40b764ad05a582a92691a41f1b968e1231153f

SHA512
157906eb865bacdcdfbc6b835ab9b0413596cf7d5f0cdb8ad951bf777f637be7ae87cb62ea29cc6957967245265fb0a27b0423aa31dbbeb6bdac967d0d81848d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
a6b7032b73481036ea61cd30e523c833

SHA1
775b0d5ce950434d0fb4bf65747691376db91510

SHA256
97c419f8cde56ee053ae721766d13f0d997f30a16e969ec838c7e0a243f3d8be

SHA512
23f87e252a4182e166f43189a8079cdee6dfa2f06608ffa0e40129d575343021adecb2f7512c074a946a79f4dd0826581582f4630f436c37022be384c5edfa83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8eec4827546a64054cb9d603442d66b6

SHA1
dd27c4545b2d96a081aab1c9537fc609bd2dada5

SHA256
871fe8b1f613685a0d7d0553039ba3764d2a3b9c543fb077ad40a37ee60ba291

SHA512
70598ac1bd34fd63dc7237add1cfc7749efbd59f717a4c1c782186a0b60024afef0481d01456a13ff0d403c73b5ab16d280d01f4fdfa7905cfdcef9cf1acd626

Download Submit