hxxps://github[.]com/fabrimagic72/malware-samples

Resubmissions

21-08-2024 12:05

240821-n9jjwsxekh 8

21-08-2024 11:55

240821-n3ra6axbpb 10

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fabrimagic72/malware-samples

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
74	raw.githubusercontent.com
75	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{300E5309-A989-4EDD-BA21-CF19146D916B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 414505.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
1832	msedge.exe
1832	msedge.exe
2996	msedge.exe
2996	msedge.exe
4040	identity_helper.exe
4040	identity_helper.exe
2964	msedge.exe
2964	msedge.exe
868	msedge.exe
868	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
5680	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	Process
Token: SeRestorePrivilege	3116	7zG.exe
Token: 35	3116	7zG.exe
Token: SeSecurityPrivilege	3116	7zG.exe
Token: SeSecurityPrivilege	3116	7zG.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe7zG.exe

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
3116	7zG.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	Process
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe
2996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2996 wrote to memory of 2976	2996	msedge.exe	85
PID 2996 wrote to memory of 2976	2996	msedge.exe	85
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 3472	2996	msedge.exe	86
PID 2996 wrote to memory of 1832	2996	msedge.exe	87
PID 2996 wrote to memory of 1832	2996	msedge.exe	87
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88
PID 2996 wrote to memory of 1124	2996	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fabrimagic72/malware-samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac07e46f8,0x7ffac07e4708,0x7ffac07e4718
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1304 /prefetch:8
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,5766435700014173678,4309360420256604756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap1438:186:7zEvent13115
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x414
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
83943d8666d0b8aa300afb75dc9f9638

SHA1
b8cdd10029f0c3f820ddc1838c9c57ca1f4ee8dc

SHA256
083045e43d7bae959bda2b4a31125cc33ea685922f5606cb12b744518ab538f8

SHA512
fc0af16875f229db644455887180eef7ce7d16ecf34de18261d1371f58643ec4bdbcb6d5a33d65dec302a5fa73ed8c68eb40dfaadce241c11c2502bc2ffcb31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b8c13c6379f0a51fafae33d84b228fff

SHA1
6cf5f56ecd8e1ddf33ce88b6ed8cb094ea7d4180

SHA256
2e8c1522c5fc752283909a382b3deb28773c4d873d6478969400740e81250021

SHA512
284a87ae1453e7dc9b44550dfbcd68607d6cb164e69327ed8835125cfdd2996e157f38a4e799459a9ade2a664522403b218ab7ffe76942bd0fb517832a439f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
76ce25dd0003895d216aec011fd48815

SHA1
82b7e4be21ebef67d9fe1b9b8025961da5a45f9a

SHA256
c0098c46f84c08915e00ce0dba99fc5c119a8b277d1525335207466a7ce2f9bb

SHA512
7926cd52bd8cb212c621ebee307fb85584c8f3b565daca95eaef7c8620b68d567334ab8da6b041ff975183fb984d73a84a5f0ae2b7a51c2a60a58a38cdb45f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
453c47dc6c4b0351bf7859783be1483b

SHA1
5ef6642fd935b285bdbba1b05d9a3a6df3898000

SHA256
c558ebcda5577c622cab806c1be074f089744a45b2de055d1c174b77c2437c0c

SHA512
25287add3c0aa460fbdb4c07e90e8ea19a1ff8dbe08a5b773cb781b877991d8e8d62865c2a7402570c70c7475932e2b2c660cedd2650457d03d82f26b223304c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e00ae0c0ffa606cf80eb59e52baf49c8

SHA1
81334ecfdaf99bad78e0486becf8155f7f59e23d

SHA256
b0f9b7150f81d64578e0c209d9607cf50ae9d5a089e274e0326efc70a87d26f7

SHA512
6057d9c413dab88efbd55097ec3d287d283cc43801953f5832ee1b6c102c7aa836f045c151f594e4a4f37e25d7eebf32607c3f50371978c6e0075be26876b96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
23d3f3fd65017c8849595b1c592a0072

SHA1
708dcc51de3eb400a9402f44ab6462c44f28370a

SHA256
00fd2e12e5a8390c42a825b716485649ac39c420ef529200fad925788273bba4

SHA512
a909298682f660057a8f1056560100dca901c4d1c8e0bb1826b4fcb3ef2ba6e0e5c19ea91380b19bfecf04e89476452cbe28dd08a386524aa3846de54c4d55fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c5bb495eb3fcca94cb421ccc335ce675

SHA1
3219b7989af37e2c9fab35123c8742541535af0c

SHA256
c4654b250ec7c0adf8090e77ea5f7b076564eecb60777034194b6841774ba22c

SHA512
25f7c00ab45559a4e8bdea3a50bd52b9b5dce163e17db78f684564f8667f9c062da7e4398d5ca3970bdaea81e9fcb5ae577d2aaf596e5a47334fbb89b2d49c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1dd120689ec82f8cad9fcd450aa46ae

SHA1
1ace2c10a4e69a87b4c27d05274fb290475471ae

SHA256
d5fb64020865fe31a977f244827879f507ffd57f2d1fb0a16fde1524ecc2103f

SHA512
de5cb9f89220a3fa0c9191c8ee1456f33069df0f6117f96264b5ccc8fe9cb07d61bc11a9b9fadd23e2bb4f8686e45beeac66473fae4dedde0f0d431141db29ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d445b2a108b2dcd40d6e6e9431f4e9a

SHA1
8f2c0602acf6b958342b5009604ff0d8c770c4d9

SHA256
b6c1cbdaf774f39822fdc5e97ed142e5e712009dca8519fd05660a01bdd6d332

SHA512
b08ae638195e95cb515c88bb2bc8e288a2c5f57e75c40ecc61b2919359d0a95e73f3133da9b493dddd472e9587d482e9fc30a7c93ca3a0b903af3d7c718fbba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
918c9381798913519641bf32ec518aa4

SHA1
2f3574f2f0ef56945a3dc96f3663899a1ce17a5f

SHA256
3f2c8f6e1b415373b175b9b500bc9756b67ebf83d563a7aabe8ae4f063e115be

SHA512
a687342147639c0d9e5315b766c96d69736aa4f740360cda3b74536da1aef5033ad50c654dec859f63e305f5f270904b9bd56be451f23a83c6a2484c9c6e2470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37c46cbd6ba9a01fe3704d11457d4369

SHA1
e905c5741c3826d7731fa40b2aaad4cb0bc8b864

SHA256
36b06a59b1e5dfdde066d184f0228b2af83ce157f6bffce342468e150abd35e2

SHA512
f602176779ddbf2720c178756389e751a0f00455d15ed25792ccb011f598d607373685e7f83dbce6c4c3c06ba67f981ec8bbf3ee7129e9d6fdc7a22699e26f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
46c1267143c7c22e86d9da27b0207922

SHA1
9fc7731fc0811f9c692fe421b2bacfcfe9d5a5ac

SHA256
12bd4169d0da53fe8eb8f2e1658c4cdb10ef3e41792ced9fa8fe91cf604e6e20

SHA512
bda54f2551f4e009ab93ccb99e0c4a709d8393b6152c5fe1e1633d2bdffd1b905ede0ea7fb2abe7f530c198306b29742fd7e53cb6f9b63dcc553a5908fa2387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2893e4f22459a365d65c4d45a552b9f2

SHA1
4862160ae0a109d43ced8684c6bbed94fe7dc195

SHA256
ba95739059c6d2a4d98e21d89246821ec7b3112601e1088f40e7eba8efa31b18

SHA512
5c129883a8fe1f5d2bfd56d962cb67a5748c54f22b7ec4e4afa750e66d1ce53d7097d5ff3a87bbe3875148b13c0dfcc4753913f935af577a4e9f4dba68ba0309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c732caec000940adbdfa0f8a131b15f

SHA1
ff24bd48079211909ba27005b1d49fe3f25e388a

SHA256
75840665680e1816cb4d41e74da3238235da8fdbf69644fa3334089c73e81fec

SHA512
593907edc1097846fab723355ccb8bd89d124464cf557506fe6d5d611a2550d3d94a2d693629ec6fd112455dd49918fd213d49546c0a89306642cb0d31c3a4c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
683a5f1c0c3233aba9cc3884b7c57104

SHA1
0ce9f24015d7217ace96778b742690aab4ac1585

SHA256
3d6a02c299bd0de7f57d2efc9dce817c6a5048845cfa4bd36f7f6314e82476a9

SHA512
b1e28792c98752275644dfdcba4f03abc201487d66304a7ede7c3a4b88a81d4446d39d3da4a7829e8f915b589d59955f59f0c2a6d2134c44330c6e5dd1528826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6daa3334c164ffcd1b4e18caea333eee

SHA1
5cefb35ecc5910ea3011c52c9540225a1983231c

SHA256
d62fa48ccdea2e84424bd21e90b1645476c6ca95b4862d61d76fe88716cf027f

SHA512
79383097ee12b725837ba8731b895354e80fa4a1ac6e757e62c79d2675905bdd752c5138e572547f6e17efd98992472bc3a262e059f778e104b55078d601c036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e50456712f9ab81f4146664abae39be

SHA1
7950bfdabab5c0e42bd97ab0d7845eda28a16bc0

SHA256
19bcacca95416241c5da6fb1c5feea5d1a2aee1af5c0f7f1c6f17ba1f32a0105

SHA512
cac6ab704fc16a0b2197897ea34cc70caf28f9ed4489c76403d7cc1c8f001971ba2c8052c820e74ebaaf33e3709fc6807075a76ea8ca1ed066fd784f0436b567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e232.TMP

Filesize
874B

MD5
a7fa6ddc9fec9c65345558bb0b095773

SHA1
9bec8d6cb0a40c9be0aa274219e3a7b54f24dfe1

SHA256
5d8b1902c1bcccc5e008f98ef646e61bb591ac5d8d47025d019596a21b93275b

SHA512
e1a6ad4138cc42a85869d7375f2baa2cf702246941c80127068f98fe303e094973931381451354ead17ebe6c3332094c11976168d8015396a49b3b2e5bee87c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9cd5d5e61c2b912e62c8162fad844cf

SHA1
86b7bdd011bbde7b963355a6d2bcb1b16ccdf1be

SHA256
6aca84466addda2a2b07ec169cf7fa5f65f0cfe489f438861a100dca0ba05c25

SHA512
43545f28926fba64b26ef2ff03d1e10c76cad64569de471ff17bd4f41db58d7cbe56a96c769e400a7fbf18dfdec5782a8877ed55a752b9723e07a6cb26888d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
991352e26643efcec619fe2a2969d056

SHA1
6c43a43408f82a994f0fcd9b56a4f533be6e3643

SHA256
7fb9519c186c08c0bcf41915bd226cc47e95e753c0b95375e5e8ad54157a0833

SHA512
92e2e7d291db1a678c4e817da4471680981bbccdbc36b21dec3bfc4572f378e3317ede99a2993e92abf5e6de90682ddeb6dcbe77e25bed3765bd7fa046a5e240

Download Submit
C:\Users\Admin\Downloads\86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip

Filesize
277KB

MD5
57b74cedb501ecda4ffa647d051ed167

SHA1
f04fd9bfb224664060245934305bec4ce2d26ce7

SHA256
c3ae24dd6b0e570611ea13b4f24e3b50ce0c6906c9ce3ba72105e4c91a660b1c

SHA512
eaaea014ca91d459a89a6f1544617f3cf3801521187fe757b08144125fe02ecd880e03726b28e32139bb752dbd52ec4133f707bb8c84e8a9ad26da54353a4d6f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 414505.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
\??\pipe\LOCAL\crashpad_2996_DNUXRZWWZVFNQXED

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit