d2f16c673e6a924fcdc98d459e392f7d60f3153e59dec258bb2fa2e180f484cb

Analysis

max time kernel
32s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/10/2024, 20:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

508KB
MD5

797fbcf7bb58e8783e0072923afec6e7
SHA1

b7a8a21ddb4a2d7a08e0594da2788c4ff49c0160
SHA256

d2f16c673e6a924fcdc98d459e392f7d60f3153e59dec258bb2fa2e180f484cb
SHA512

ddc4050f449299fe87fec76de32780408daa716a34298dc41af667bf657a5e5986ed00eb19c8b35c7bca32488efe77020b291a421b888a5ee1c6d949eb2d897a
SSDEEP

6144:lMX9ed9er9eU9eF9ek9eM9em9eJ9eV9eCPE2:lW909M9f9o9z9X9T9I9y9fPE2

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3716	POWERPNT.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3716	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
740	msedge.exe
740	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3716	POWERPNT.EXE
3716	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4836	740	msedge.exe	77
PID 740 wrote to memory of 4836	740	msedge.exe	77
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 1408	740	msedge.exe	78
PID 740 wrote to memory of 2852	740	msedge.exe	79
PID 740 wrote to memory of 2852	740	msedge.exe	79
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80
PID 740 wrote to memory of 2472	740	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7c973cb8,0x7ffa7c973cc8,0x7ffa7c973cd8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14617709540954123876,8017058961213692325,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14617709540954123876,8017058961213692325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,14617709540954123876,8017058961213692325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14617709540954123876,8017058961213692325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14617709540954123876,8017058961213692325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3040

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ShowPing.ppsx" /ou ""
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3716

Network

GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/fetch-polyfill.vflset/fetch-polyfill.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/fetch-polyfill.vflset/fetch-polyfill.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/intersection-observer.min.vflset/intersection-observer.min.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/intersection-observer.min.vflset/intersection-observer.min.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/scheduler.vflset/scheduler.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/scheduler.vflset/scheduler.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/www-i18n-constants-de_DE.vflset/www-i18n-constants.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/www-i18n-constants-de_DE.vflset/www-i18n-constants.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/www-tampering.vflset/www-tampering.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/www-tampering.vflset/www-tampering.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/72b8c307/jsbin/spf.vflset/spf.js

msedge.exe

Remote address:

142.250.178.14:443

Request

GET /s/desktop/72b8c307/jsbin/spf.vflset/spf.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://i.ytimg.com/generate_204

msedge.exe

Remote address:

172.217.169.86:443

Request

GET /generate_204 HTTP/2.0
host: i.ytimg.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

14.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.178.250.142.in-addr.arpa

IN PTR

Response

14.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f141e100net
DNS

www.bing.com

Remote address:

8.8.8.8:53

Request

www.bing.com

IN A

Response

www.bing.com

IN CNAME

www-www.bing.com.trafficmanager.net

www-www.bing.com.trafficmanager.net

IN CNAME

www.bing.com.edgekey.net

www.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

92.123.128.163

e86303.dscx.akamaiedge.net

IN A

92.123.128.164

e86303.dscx.akamaiedge.net

IN A

92.123.128.166

e86303.dscx.akamaiedge.net

IN A

92.123.128.157

e86303.dscx.akamaiedge.net

IN A

92.123.128.165

e86303.dscx.akamaiedge.net

IN A

92.123.128.167

e86303.dscx.akamaiedge.net

IN A

92.123.128.161

e86303.dscx.akamaiedge.net

IN A

92.123.128.155

e86303.dscx.akamaiedge.net

IN A

92.123.128.156
DNS

config.edge.skype.com

Remote address:

8.8.8.8:53

Request

config.edge.skype.com

IN A

Response

config.edge.skype.com

IN CNAME

config.edge.skype.com.trafficmanager.net

config.edge.skype.com.trafficmanager.net

IN CNAME

l-0007.config.skype.com

l-0007.config.skype.com

IN CNAME

config-edge-skype.l-0007.l-msedge.net

config-edge-skype.l-0007.l-msedge.net

IN CNAME

l-0007.l-msedge.net

l-0007.l-msedge.net

IN A

13.107.42.16
DNS

243.76.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

243.76.109.52.in-addr.arpa

IN PTR

Response
DNS

86.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.169.217.172.in-addr.arpa

IN PTR

Response

86.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f221e100net
DNS

cxcs.microsoft.net

Remote address:

8.8.8.8:53

Request

cxcs.microsoft.net

IN A

Response

cxcs.microsoft.net

IN CNAME

cxcs.microsoft.net.edgekey.net

cxcs.microsoft.net.edgekey.net

IN CNAME

e3230.b.akamaiedge.net

e3230.b.akamaiedge.net

IN A

23.213.251.133
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.31
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdwus13.westus.cloudapp.azure.com

onedscolprdwus13.westus.cloudapp.azure.com

IN A

20.189.173.14
POST

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

POWERPNT.EXE

Remote address:

52.109.76.243:443

Request

POST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_125
X-OfficeVersion: 16.0.18122.30576
X-OfficeCluster: neu-000.roaming.officeapps.live.com
X-CorrelationId: 2ad1453d-9d05-45a9-bd24-34e55c56c2aa
X-Powered-By: ASP.NET
Date: Thu, 03 Oct 2024 20:41:33 GMT
Content-Length: 654

142.250.178.14:443

www.youtube.com

tls, http2

msedge.exe

989 B
7.6kB
9
9
142.250.178.14:443

www.youtube.com

tls, http2

msedge.exe

989 B
7.6kB
9
9
142.250.178.14:443

https://www.youtube.com/s/desktop/72b8c307/jsbin/spf.vflset/spf.js

tls, http2

msedge.exe

5.1kB
87.2kB
72
78

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/fetch-polyfill.vflset/fetch-polyfill.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/intersection-observer.min.vflset/intersection-observer.min.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/scheduler.vflset/scheduler.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/www-i18n-constants-de_DE.vflset/www-i18n-constants.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/www-tampering.vflset/www-tampering.js

HTTP Request

GET https://www.youtube.com/s/desktop/72b8c307/jsbin/spf.vflset/spf.js
142.250.178.14:443

www.youtube.com

tls, http2

msedge.exe

989 B
7.6kB
9
9
142.250.200.42:445

fonts.googleapis.com

260 B
5
172.217.169.86:443

https://i.ytimg.com/generate_204

tls, http2

msedge.exe

1.7kB
5.8kB
13
11

HTTP Request

GET https://i.ytimg.com/generate_204
216.58.212.202:139

fonts.googleapis.com

260 B
5
92.123.128.163:443

www.bing.com

tls

1.9kB
6.9kB
18
13
23.213.251.133:443

cxcs.microsoft.net

tls

1.4kB
7.4kB
19
14
52.109.76.243:443

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

tls, http

POWERPNT.EXE

1.7kB
7.7kB
11
10

HTTP Request

POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

HTTP Response

200

142.250.178.14:443

www.youtube.com

https

msedge.exe

19.6kB
2.2MB
249
1627
8.8.8.8:53

14.178.250.142.in-addr.arpa

dns

270 B
808 B
4
4

DNS Request

14.178.250.142.in-addr.arpa

DNS Request

www.bing.com

DNS Response

92.123.128.163

92.123.128.164

92.123.128.166

92.123.128.157

92.123.128.165

92.123.128.167

92.123.128.161

92.123.128.155

92.123.128.156

DNS Request

config.edge.skype.com

DNS Response

13.107.42.16

DNS Request

243.76.109.52.in-addr.arpa
8.8.8.8:53

86.169.217.172.in-addr.arpa

dns

289 B
601 B
4
4

DNS Request

86.169.217.172.in-addr.arpa

DNS Request

cxcs.microsoft.net

DNS Response

23.213.251.133

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.31

DNS Request

self.events.data.microsoft.com

DNS Response

20.189.173.14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
584B

MD5
d284c26334e1414c6acef72ee4601645

SHA1
d6c8d9f7d48ed7ee1ffb495a17c717fee74c4563

SHA256
c3c221ac637e20d5c3afe7d1f5716b9d6ad86238bf838e282aa40ba2664cc318

SHA512
bb2328cca9690792870f605726cc370c9c7c8f13f5536ffe845648aefae19ace68c1e8a410f67d6e9b71a428e1de1faac73eb610745ec8e049439e55600b986f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28256049e5952cc9a01068b1f7c93a9c

SHA1
a7252fbe02a0a7fc25b989866168d730d5d9ddb0

SHA256
26ea750deb7622e4d1c80ba0b036132826799e2689a7eb07796cea5e8a01378d

SHA512
698348d365170a1299d3c6e9301ce664a03eeb31a34365f7d9a02a09d0d04d4ee9f393b5c145384098e6fb79915b867aa85a07d36adb330af9a3c8672d4c5708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4afbc670dc7060467b2e3e4eef74335a

SHA1
fbee561ef1e018795fa7511657d1b375dae09b99

SHA256
6d6e4b7d00075bc20e0ff0e41cb7f33ae5e2f477c7d6cf5687bb2ca45bca02c9

SHA512
70cb9fac7f27b2760c1c9a18f6f0140ce917833609ec92b9a2bc8c60342ea02b494b395bcb29cc9ddfde815d17edf0af5228eda83c9664aa0af839889ce1022f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5da5760fe6472a8fd02c74be01af307

SHA1
8fad601ff00c599892f7593b698f97b9ccb0e2b9

SHA256
fccaa59359ed24d5bb01477d20c431610050d8234e5fb1d61197c70e07dd7fe6

SHA512
cba24cea91d2be109e9fc9df5bc1998fe42f4036882dc6e53279fcfa5565464d8657ca2943ca50e0f32f13838bf8ef355e2bcb97e0a026066c757e236f295e78

Download Submit
memory/3716-105-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-104-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-106-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-107-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-108-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-109-0x00007FFA49830000-0x00007FFA49840000-memory.dmp

Filesize
64KB

Download
memory/3716-110-0x00007FFA49830000-0x00007FFA49840000-memory.dmp

Filesize
64KB

Download
memory/3716-132-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-131-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-130-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download
memory/3716-129-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.