hxxps://gofile[.]io/d/LOwIP7

Resubmissions

01/09/2024, 13:41

240901-qzjg9aserf 4

01/09/2024, 13:40

01/09/2024, 13:39

01/09/2024, 13:37

01/09/2024, 13:34

01/09/2024, 13:28

01/09/2024, 13:25

Analysis

max time kernel
118s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 13:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/LOwIP7

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\GPU	WebExperienceHostApp.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	WebExperienceHostApp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "34"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\sdx.microsoft.com	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\Total = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\ = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\sdx.microsoft.com	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs\ = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\NumberOfSubdomains = "1"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\sdx.microsoft.com\ = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\sdx.microsoft.com\ = "0"	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\ = "0"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\ = "0"	WebExperienceHostApp.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
2940	msedge.exe
2940	msedge.exe
3076	msedge.exe
3076	msedge.exe
1432	identity_helper.exe
1432	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	WebExperienceHostApp.exe
5316	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3164	2940	msedge.exe	82
PID 2940 wrote to memory of 3164	2940	msedge.exe	82
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 4492	2940	msedge.exe	83
PID 2940 wrote to memory of 1160	2940	msedge.exe	84
PID 2940 wrote to memory of 1160	2940	msedge.exe	84
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85
PID 2940 wrote to memory of 3172	2940	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LOwIP7
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd99023cb8,0x7ffd99023cc8,0x7ffd99023cd8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,6069037788272741818,16620910247029496439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3068

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe" -ServerName:WebExperienceHost.AppXpahb3h9jz84zbzgmz4ndmjv3nas4ah73.mca
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2468

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1500

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1ec32b94d58f1923b9b8da0ad7dd80c8

SHA1
641bdb6ac47c33045437282c20935001450b07a0

SHA256
562a1238fb4b98adc47ecdf66f69e2a7bb6b5b3aa0c6f69571e4e9c514d457f2

SHA512
6ddb4c520a3e13eb685687f6857357a32ec1234d294ed522913019489e660ed0a4d8161e8add36de3d911b4a5cf50bf098dfea4f1ae0bfd042c056f42d22de35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
856B

MD5
3c9cf96aa1b6d0f3a6720940110eeff0

SHA1
6a3a55b3349d2c9667cec7f5c80152c574afb8c8

SHA256
040cdb5ab454fc5643b79fb5f0a356f3e070bb5b75d2c6b037696c8d62ef8d86

SHA512
66ee44496582036266db066553280eadd297131442d58140f79ae08502af28b9c286361dcfb590aff6d3dc429c43a89d5c352da795b4e435b3a9ab544b0c73dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b3fb6ae34a864d27d1c9077c6f344a6

SHA1
d9bcbc627b3e1a94342a42e3c66555adec56990e

SHA256
569519cd655ebe2d7fa4e5983dcc272203a1a6b19557190f49e5d86a38706fc6

SHA512
94f7849fba168ccfedfe5ce4fe1e28f967c526e9049153a3d4631cf289e3f8e3c85241e4a2fb1d98d8cb801421bfb579624b4a04590b49f43830519454a180ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d6e9bef508bb53e0e00246fa8810fe6

SHA1
4085a5b753024c18ae7f003ad822c764429e650a

SHA256
83123ee7d8fac686eecd7de3eba605d8846fbfd1e976fc8faed41e44ff4605d0

SHA512
5ec3927740576b856fea68139c0ed493029fe64dd9e4e4af0de4a2cf1a68f8c6dfa6c9e3b25eed38e7eb426287906f3635c62a3c8a6ff8c3a0a6860e3dec6918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aebc8e203ca1ac9915348f5db9900e4

SHA1
bc77b63119197317ef383702edec4701785e0ffb

SHA256
5aec496925ad6d4c4041753d4c8ae8f12754d2cdb97939d7799e21c5773a4ce7

SHA512
7e5a305b6d9e00a0ff1a97e5222a295fff5a96b95e8775356fd1a38f62a4302c8f29f859b80f23cf99d90fd965ea5d622f583ac06bd3d1423698ab06c6b2a402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7092403b3b171140bf12d2038fe616f3

SHA1
92d60aea11ca2772f97976f8a2c57cef6afa7091

SHA256
5c270e513207f9df9a3af11b58e827f47d3c36ea96dc31172355d3d0ab97779d

SHA512
f38caa4592da049dde343a48fbb1d5df2a5f2509c6304f9c0665812a36ea2b99076a985ffee2eab7ac0c8a76ed38b083ca87f8cd7785a7617a022ff110a1fb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
062d26a8dc61c4541151caab168cfaa5

SHA1
84a74f7c7fb4d15769bd071098ce701724f45add

SHA256
168893b6dffbeade5d75c0ef20ade61ab58da69c17cc4c3f4895bcd237dac03e

SHA512
ff6a8569aef45254b407f706a651dff6b36fa81f9b08dc2c61f62b3bfb20353a2d36056411278a7f9997d5b3b1b4adba667f32cbb5d059e665176cc270953857

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ae43f49f-7b06-49c6-a18b-cbf62dd8984d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/2132-419-0x0000023A4C570000-0x0000023A4C590000-memory.dmp

Filesize
128KB

Download
memory/2132-630-0x0000023A4BEF0000-0x0000023A4BF10000-memory.dmp

Filesize
128KB

Download
memory/2132-629-0x0000023A4BEF0000-0x0000023A4BF10000-memory.dmp

Filesize
128KB

Download
memory/2132-643-0x0000023A4DD00000-0x0000023A4DE00000-memory.dmp

Filesize
1024KB

Download
memory/2132-714-0x0000023A4D110000-0x0000023A4D210000-memory.dmp

Filesize
1024KB

Download
memory/2132-715-0x0000023A4D250000-0x0000023A4D350000-memory.dmp

Filesize
1024KB

Download
memory/2132-1023-0x0000023A4C070000-0x0000023A4C090000-memory.dmp

Filesize
128KB

Download
memory/2132-1024-0x0000023A4BDB0000-0x0000023A4BDD0000-memory.dmp

Filesize
128KB

Download