bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
79	raw.githubusercontent.com
80	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{91BF3ED2-FD89-40B8-A02D-0656D8F7D141}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
2416	msedge.exe
2416	msedge.exe
4844	identity_helper.exe
4844	identity_helper.exe
3236	msedge.exe
3236	msedge.exe
4252	msedge.exe
4252	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4908	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 456	2416	msedge.exe	92
PID 2416 wrote to memory of 456	2416	msedge.exe	92
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 3840	2416	msedge.exe	93
PID 2416 wrote to memory of 4336	2416	msedge.exe	94
PID 2416 wrote to memory of 4336	2416	msedge.exe	94
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95
PID 2416 wrote to memory of 4924	2416	msedge.exe	95

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:2964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe6e5e46f8,0x7ffe6e5e4708,0x7ffe6e5e4718
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14903598583660396072,13635870092510006671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e978fc7f1479859f6e6e324b954592d9

SHA1
47d50a93dbf19d2778fc29f31327b7379a1639c8

SHA256
f439665438a7105edd7b4e2baa8f18559141541a6fd9773dafe52a8d9f03d374

SHA512
494e266a8da5de10eb33118c415c53d8639b37854f658425b74c815c65f7e8c0ff10e9d5cf5c0a134c5641d0ccca6d8fe70bb9dc0ca1a4e2ee1d0fc0859de3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0908c6311a7df9f183a63b479958a0b2

SHA1
fccd16a3ffdfc9570eee492b8a3a45ab6849cd7a

SHA256
e80350e6acb96605be14742338ac408b073b3ab3721d232048cb9cca6572aee5

SHA512
b8ab3a05cabbf6126e672d47b0252f89888edb2acf30ffd12b7f95a7b9ffb1e736d92e0bddb5f4cbf0288be7984fbc1853031d1152e936f6d570d9d85892fb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
891c5d4856f2fba2f8d5fc70d37e8308

SHA1
0fc72379fca0b2473806a2bfdf02f8dfc745d165

SHA256
195d8c32913e6f74949ebefb005d54901eae731b1cb5b0f97d91fe3bfaea57d6

SHA512
c2c9cc2b2adf9b5233aa8101c2544f0d754bbe60a53bf6f5af3f1e489db1130cf6c2ae482b7e362e4c7bb60ca24e0a7addabc0d74e52d6059b6b288d36ade9dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37d38698ba27fafc77099eb03ad25b69

SHA1
f5a15d29ea304d24cab813697e9c99fc5d0365e1

SHA256
35f22a4c1fd185fdd4c16666a221fad1e12ed198a8024487fb246417ef3fb7ac

SHA512
c7eb31b8ad345855cdf0831548ba7ee75d2484ea62f5775d47c17be9eca95788d222e2626284f7010a26331dbf44ed8203623379751c3ec918af052f023a5e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd757d3b3aca9058c73d01ee149045bb

SHA1
fe991ca4236840685108dcbc7cb0a9859a3b6044

SHA256
ffe10d4eca5ac5e1222a4cd6c29b5c762af7a3647f53385748d8bb29a30e0e3e

SHA512
11fb3de631f4325d6db36ee2e7a0260d79f6c3ace09f4f5bc6ab87518c467280abfed120a7e6f6d0fe6d4c5f69e899e908e49616f29b2a546b20c52ff5d93b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d189e8ab95e6676422df3c0e9445d90b

SHA1
ed7317d490ac25427de85c6a2dce7c0525cb802f

SHA256
19dc45dd343cf34ab7402c40b3c145965136f8f3f990957af8ee2edcfad6d18b

SHA512
91a22acd4ab2bed7abffdfe51f2698432c2273b46254376453a16fe9672df7181c330573a4a3cbc41f83b49479663c2a738693f0dbae3671b65247d8b3ce5a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1080a7f668fe179864aeb9386e34a64d

SHA1
6b865db17d7257870baa09f73bbda2540eb0fc6d

SHA256
d0235a4ddc71dde1581bd02e81fb40c0d395c8186b7fd8cc9f652cc8030fc23f

SHA512
cdde1a69a135e61bb85262674e464943d242782b3427bd14bb83630f5d09344c2953975b37d2f8c51ee337e5d93a240c0fe46c46dbb13b6ff450b0857447e242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5e98473761c63d8517185772b10a45eb

SHA1
7898855fd346dabab6051bce7b1ad0901d3f349c

SHA256
c81993f7b9fbec861066f1d26e5025bc302f65c229d4e467c26578c5565973f6

SHA512
3c2da4459a5cfc5060896c79e918186d0247efe5818097a06d945061e619602c0c0d541d95c74566a51ca0dbf71ae13528527bc54d4ad95abdf31334e07179ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26b9f6eba33a20caf8fbfdcdf0fb4b49

SHA1
2d2f749748fc10a2661b880ee2f553ffbaad48d9

SHA256
f98aff22207595b148ca63bde83ac419c407214c5ada20a6f4fece7418ca1775

SHA512
30184c473889421469677761f920a5278b76e836358cc5c16dc99dee11dc29333417ff0c6cad3a699b17c2c07e47feff51ef16edb62e4a1d52b30040ba242aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ada797573552aafb5da16f6519e32f34

SHA1
a317b229cc913a81c113ec027ca2af69994b0ad0

SHA256
5120051715bb58d8df395e759a7583b18da69e747fb931911a147b32cf81dc66

SHA512
000d7ce708c833a02b431768868d66689f56c26eae56e8c9769b7ba4c2cb0707985405e741f555c82c0ad7cd5830e7139131a76701dd8e860b10aab60a2038de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f021bd474799e39fba71ff840aa24f2

SHA1
a2ced4cbbee457a5bde472d5c7235d7824229e75

SHA256
5dc06b65583730ed780e97d7c27618993941ac585ec55fdb3d4de2a26ea11cc5

SHA512
73c8af168caa60c9b24b908329e43eb3335d5cdf96a098a4bdf7cf1717b6d1f9be1f67dcf597360d2cd19421ca4846330a418187b7689cdd905f55033bf4cd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c58d.TMP

Filesize
1KB

MD5
b1c3d19ba6c49c4d79ed1fae5b487d84

SHA1
8857875223dd82f155765c9e5d660b2cd19e4c1a

SHA256
67a3030c83445f9cea4fc3795afa1085ddcb4cec1c78ce6b5377ec573194949e

SHA512
d696111cd420a1b975e771de8555f492fe590ca39fa6aad2f938925b74a4791f137a02fcf94fb9ecd268d2dfefcbe4805ecc9e8106e5700a13977eeaf666fec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9b83a1946482dad2b9c1a764d1d2e7a

SHA1
51d90fb7b3f1e27b3cdf6af9e2e3de3c0af9ce1c

SHA256
8c9bcc460a3b8b67f58d2c49a802ae7181ed933e31831724c6fc4b9b8dd528fb

SHA512
449dd3ec6257f21685b96ffc454dc4aa72748fc11712be76512be6bbc3f2bb475c52fe78ce8e07fec4b599bbe5521b33e8221def16d7feee81bcf76db4bc0f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bf54bd5a32c22a92af8bb911f4f43b0

SHA1
32094205afdedbfda5fcd44b9ff177930aebb4d3

SHA256
4822e34aa8df84caebcb2129ebbf4943084d8a20c602da43b7fe89fe9e867e3a

SHA512
474951bad88a008c063a5481f7e5b171fd26e03faea880186ebddd438c0a1606969ddb7d725d0248e07cbac1e93dd7f86e23a5d16845fdfbab4f52dcf6e9024c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2100017a7f7bb80c861da997408ba067

SHA1
e906a0d96fbec4f21c70f8aa86fe3017587f9841

SHA256
d48d893ef4e8b85a33ca2e59f6039dac0a524c444905fa48fa336ab7134882a5

SHA512
41081971a5bfc5186e4eaaf43179df3e61ab2696f28609d86b02a7bf165482c0d250b1ce95580addf0e23554fd1031a270bf686c32753ee2a767071cdf0c0bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87221a7a72c618682620d3821bd45d0f

SHA1
546fc51b2e6162d3eeb26b15cbd0a9ca9451259d

SHA256
057a25346ab1d5862bcc5ce0e8a7e60ae9064d4a8f8ac156e63ebf3824c338bf

SHA512
176bd470db463b98b876fe29095ca81746e189f8521b09ad9c53d86da1a3711e2dc2cc181b3a8a07f4b78414ac1b6095accf6deeab6d49c0b73d390615b9d0fb

Download Submit
C:\Users\Admin\Downloads\42.zip

Filesize
41KB

MD5
1df9a18b18332f153918030b7b516615

SHA1
6c42c62696616b72bbfc88a4be4ead57aa7bc503

SHA256
bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

SHA512
6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

Download Submit
C:\Users\Admin\Downloads\zblg.zip

Filesize
9.4MB

MD5
207b597f03033b2e0644bbbc29f04053

SHA1
0ad88c964f6f7eebafa7156080a7bcd90ab32a16

SHA256
f1dc920869794df3e258f42f9b99157104cd3f8c14394c1b9d043d6fcda14c0a

SHA512
f50cdf77557160a7294406e1f2d57ca789ec42834881069281e88ac334fbaad901229da0e460b26a1b69724a4adbf9d0e92adba9c3ac86aa1603b857789c1db6

Download Submit
C:\Users\Admin\Downloads\zipbomb-20210121.zip

Filesize
17KB

MD5
4320c08f84b679e7ccd881ff4344da39

SHA1
c0533e3d39c3409bf719dc21e585b63909c85b6e

SHA256
50243fafe7407d88f08493ca53d61bd56504bf88fc35eabee2e7a391e08330ae

SHA512
922af6b4dc627ef631675f3785364872bfb2ad923a75affd575c0b31c1ff75ad15a24b1090d5722aac82840c1359ba50c09c02c9dbe835a6ad97ce8cd6e713af

Download Submit