hxxps://libs[.]outbrain[.]com/s-vi-serve

Analysis

max time kernel
54s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/11/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://libs.outbrain.com/s-vi-serve

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
992	msedge.exe
992	msedge.exe
6056	msedge.exe
6056	msedge.exe
3560	msedge.exe
3560	msedge.exe
5516	identity_helper.exe
5516	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe
6056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6056 wrote to memory of 2832	6056	msedge.exe	79
PID 6056 wrote to memory of 2832	6056	msedge.exe	79
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 2804	6056	msedge.exe	80
PID 6056 wrote to memory of 992	6056	msedge.exe	81
PID 6056 wrote to memory of 992	6056	msedge.exe	81
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82
PID 6056 wrote to memory of 1504	6056	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://libs.outbrain.com/s-vi-serve
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82adb3cb8,0x7ff82adb3cc8,0x7ff82adb3cd8
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12533834236694301227,16649470741020703399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004F0
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d904d33b9242d66234195444f65917d6

SHA1
70fe5ffe0c1e7a2422a5cb1fdef2dd961c2ba488

SHA256
ee4aa3c9de408de3efcaeb7b38172901c70a89d10f8d5a986a877a45fe5fb6c7

SHA512
5d2dc1dd14485be5877c1a9d8a0e224354434ddb9730b0ee9e95db3b7580a98c7f5a63a8209a7efc3ad974d29182126f15b2c627e01ebda16afffcfa8e4849a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e36d3075bb1aed21556823a198d5267

SHA1
823c1ff71df1817011cb0d40f1eab60f7c6f0f54

SHA256
5ec9985d8f6cbdef344f45659e4956c5ce6819496da85ba537b776324804d1bf

SHA512
319d64a394bc44a0f493b3dd4890fde1d87ad13d674a5bf029bb44e1f344b8f98ab8a889687e8055c0dc0d3168865f9961d6d00e133552a3747011fa3537eddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5bd014af699707f9e11f557cf1237c68

SHA1
06be0a85fc0f4dc1a21df646f5929cb42a2b34ce

SHA256
a5acfd77617facc6163f22c2d8644ba7da2c3150255aa9b98673311fb25ffb04

SHA512
fb7128b62e3d372b26926b7e86cddc54536d24027e6c45283cf17f84c186bedbf9f5640643bbc0f7a6a5624e0e6094d99f4a0025c898ee1c97c394eee236c53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1c1a302b1be112f95a2ae157433c0080

SHA1
379f29492155f0ba7c7cff41241138c3876a9042

SHA256
e2915d936f584d0bd8c21ed63d2a57be88a4c506e84dc64282371a1fb0b4f08b

SHA512
b120502865a49d6ff587133dfe2c3ddbb7979e12534791c216e1f46a94756c20a5fbc1b7e6e5d52f0957090f4408cef16b3e17cd41caa3e0d1507b9400ee29cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5864b0.TMP

Filesize
48B

MD5
7a22c34c415de559cb00a59d3594d210

SHA1
69805fb231fb1bf66a8ff8b04acce9db50442df5

SHA256
aaeb7c7492a2ac5adb6934ce6032cfdc13a0f33cfdf98931f19e8c09bedc07aa

SHA512
f1d7ef870904acf9060cbacb03a3fa6c57d91632267d1a1ad2253faa5a152562454d4d481ddea0d2bed84597d33e469764fc7f71fa0832ef1fa5c5c50df65a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
81c1a7dee3c8a9ba4543a66b34072df5

SHA1
4192cc5cecaafb89936858237aa9378c924d162c

SHA256
7673323cf8fe5421fe028620455b1bc16a0bf31fa625d9aa9bdc8149e9dd981f

SHA512
d6eef9e1f1178446aa7188b4942c7e8e10d4c8c9a1bce5a519d451a0b6a6fc06b61d5f55972d2ca820080c78a06734d0dc0cc760594cc66511c640ae358e5c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2e25f3bfe91518dfd7a9a7d483e65171

SHA1
feba8f289edaa836714d9dc00319a81b493b364b

SHA256
0e45abd7a9bbdf670af542764282a01774d92d237fa8d75cd7eca83540e05a78

SHA512
db6f160e9f2b215bf606c83ddfed64bbd8a0632d1331c6d814fdd2eb17069274cb6520857f2283048892f6d0eaa43e83139b77f266026958697a38d4f05c75e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
afc4e9581f7235c7c6978b7ba7b3bc27

SHA1
6bae97ee39e68b1e2028c5359ad4ff87b3971bf4

SHA256
5ccf1138518c4f08fe7d2ef098525f816433532a5d281fe2afd0641b8de2ec1f

SHA512
0486ac95d7fb9350bd5d0bc3f4ebe557f8e636a225a0e69770faa07ecb7dfeaf398fa4b7719fadacc8f54b6bafb25cdbd4c8e7affefb5c0b7b7e4c7e9abd49cf

Download Submit