08f327fa721faf4fa748844b307ffb66ee56370e705c0b34942d4084a88ab469

Resubmissions

17/09/2024, 21:20

240917-z6styawanp 10

07/09/2024, 15:18

240907-spsdhszekm 3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22dc50dc2bbe4422c7f68d26ab95eb9.js
Size

92KB
MD5

abbf8daa7bcdaca739f4d3fc4ebae091
SHA1

1706784a398f62b28b178ca471446ed2dbb2aee9
SHA256

a58fe10a096397b8eb9404af4ab8dfe14b1d88ae043f480f93697591ae262626
SHA512

91d0b100ee6f708f4708e7e3ae9a7407c53a3e16f3fb58ea79b15751bf5edb1cfde75184ae0c7e3148ddc0170d9b8ad587cedbc856f10c8f40b2a62e13d56e9e
SSDEEP

1536:JiPdxrC3WtVFyIcQwYJWOlA/Zk0pRZw6lw1rPTf:J+w2WhlprwXpTf

Score

3^/10

discovery execution

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	taskmgr.exe
Token: SeSystemProfilePrivilege	2340	taskmgr.exe
Token: SeCreateGlobalPrivilege	2340	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4344	1072	msedge.exe	137
PID 1072 wrote to memory of 4344	1072	msedge.exe	137
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5320	1072	msedge.exe	138
PID 1072 wrote to memory of 5352	1072	msedge.exe	139
PID 1072 wrote to memory of 5352	1072	msedge.exe	139
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140
PID 1072 wrote to memory of 5360	1072	msedge.exe	140

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c22dc50dc2bbe4422c7f68d26ab95eb9.js
1⤵
PID:2700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2336

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:1676

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:5104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:1536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4556

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3240

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:5084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:3780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:2880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:4420

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9a93546f8,0x7ff9a9354708,0x7ff9a9354718
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4678894644895462242,1355240686556005697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js.html
1⤵
PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a93546f8,0x7ff9a9354708,0x7ff9a9354718
  2⤵
  PID:6024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c22dc50dc2bbe4422c7f68d26ab95eb9.js"
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc9cabac9c028895ddec01c07e7ff4e1

SHA1
8700f961bf5a8834ed9d2d6b709c0b9da9642f81

SHA256
1a0f81def8db824383ddc39b20edd1f2a659c32f10edc4643a2833829ee48dec

SHA512
fcc9d45cf2deabe744f5255e6c679815df6c104bff0554ab9ff9cecb033641ca2b173fba0dbdbe1fccac2afdd7aa97e5b44321aa6671ff841b58bef00d80918e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1644d56eecfdb3e7f1bf1c90ebdcc64b

SHA1
6a786004dfcfa3f6c69c9074eb6c00900db10fac

SHA256
6f2344f148e35577cd7235fbd9e4f6af441d5b663337401ed761a0b31862bed5

SHA512
edf4c5effdc0958152d74d41a50212c09566d8327510c6e5330d2dcc6f11289d6835b06b279fefbd7fc7ad3163ef93946ca82c637d799d5afd23e08f48640bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
259555ba9e5a40ee81ffc7f414e54cac

SHA1
3ca5d5299862aa8cf0223111d4913425cf9aab3c

SHA256
aaff0ac24896487d3ccab812a571bd9a2c1dc4a46919a4ad7b6d92358fc0405a

SHA512
134d5bedad6b06f66316512edb8c4f08e0d60aff914aa3712f15dc07bb596f40bd7b3c43ca637863a2a0389fcef0f66ff8d755ca873655c1345ef8dd54f5913e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9bf51bb1540bb6babf13ba8c643fbf0

SHA1
4cf978186fb3405daadfe6fff304581287e82cf3

SHA256
0bd0d5c52d9ca2c20a53e246e563f7d78823470901fac89dde5b46206e70d469

SHA512
db72a75759178f32f73a344865d933c086f9f5ceb2d32b37e8a35a7f29aa33c535b9d0faa8f8d2fa1dd3ab3e79af8633d5ae3f3b0bd7916c3a8e87a08cdb5252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f96f887d374765c3483d041d94f62f7f

SHA1
d596bc02bd7ece55be2e4b3a5bafa7bf98191ab3

SHA256
0c040f26cf1996cf3ff730ece83fb9b782b19ff3650a108ccfeb1823e26b57e9

SHA512
f233e210d316ace9774d8ee8228df7f1007c512bb25ca82e5d56ac725d8225b240b4f48d82440ded3ab8d37ee12af19cc2da1a61dd2c4646a933f1c4f22adbb0

Download Submit
memory/2340-12-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-7-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-6-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-8-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-10-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-0-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-9-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x00000209CF7A0000-0x00000209CF7A1000-memory.dmp

Filesize
4KB

Download