hxxps://buzzheavier[.]com/zpxca2zcg07d

Resubmissions

28/11/2024, 01:35

241128-bz4qvszjgt 7

28/11/2024, 01:03

241128-bevmfsykgv 10

Analysis

max time kernel
82s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://buzzheavier.com/zpxca2zcg07d

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: #Pa$$w0𝑅D-3517__Sat-Up@!
phishing
A potential corporate email address has been identified in the URL: #Pa$$w0𝑅D-3517__Sat-Up@!.zip
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
832	msedge.exe
832	msedge.exe
5104	msedge.exe
5104	msedge.exe
2860	identity_helper.exe
2860	identity_helper.exe
3768	msedge.exe
3768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2864	7zG.exe
Token: 35	2864	7zG.exe
Token: SeSecurityPrivilege	2864	7zG.exe
Token: SeSecurityPrivilege	2864	7zG.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
2864	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1484	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3092	5104	msedge.exe	83
PID 5104 wrote to memory of 3092	5104	msedge.exe	83
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 3012	5104	msedge.exe	84
PID 5104 wrote to memory of 832	5104	msedge.exe	85
PID 5104 wrote to memory of 832	5104	msedge.exe	85
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86
PID 5104 wrote to memory of 828	5104	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://buzzheavier.com/zpxca2zcg07d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90bc646f8,0x7ff90bc64708,0x7ff90bc64718
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,2250193330372755300,16124527453326935497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#Pa$$w0𝑅D-3517__Sat-Up@!\" -ad -an -ai#7zMap2276:112:7zEvent24920
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4570a8088683a075e98f55e262cad623

SHA1
5b0d498f63cd866de84d8879dde361d43ecc4a44

SHA256
09dab91dca075279862cd69414bdd50bc896d27d2223acf37647a659407372ac

SHA512
feff644e3244bc2af23d7c6d638f5741132a1b1da6a26a9c9a96c3be6adcf7b7dc301ccf81d6cd378649381842d4bf98a62c9416fa127e281ad50bb99a0efeeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
590077a125434bbfd075ea6c203fdf7e

SHA1
bddd0216b85011aa813a2b44bf4b62edff525433

SHA256
ddd736f61d1b37b33d176c31c3733432f35602330d6dcd3d4f5d607f4aa10dec

SHA512
a9476731d1e7d939c9e454cd145ee55a5838866b24d6abc36868d25a7c31bf96012ec379556674dcf11aed47f3ea0e77d88f52309c57326b32bc0671bfe5fe9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bcf8535a0b4fbd14dc919663c6ebf64b

SHA1
de0417fa101d141ad4f37eaa1c4bbe98cd37cde2

SHA256
b2d4880ff09e94b936910dd1eb1c74ae5a3cc4c4ce79a4b616b51b64172c8f5d

SHA512
757d2a4bf124a3defd4768a3540902cfdd1d096fde1f1206a34c57c21a1bb6bc7c0db66b7c03560633f4d910181b40107ab559a91323c84d789e683fb07dc7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
892dadfb60087e66f97e4400e80f2d18

SHA1
4a04748b0b03e85a7d992c3774bccb8d24a79fd1

SHA256
c6b474676a95c3830100102135fddf67030752d30876700a2928a564f6a6c873

SHA512
ace960764bf925701899c1c3439b29982d172edfedda50f1ced375f119d34f7400c3be5f19abe9be7ac0b0ffaa9057e27b898e3814a5449b90e07e31c1fc22de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
afaa669b0cadbdfbe16b8203bd12a042

SHA1
3c004bdd5e860eef42348c378b0c268abb08b6e8

SHA256
09a50a44e94ad291774eb0062421b6e9e67951bfb4991f33836ae039a59f2599

SHA512
6a542958a499a0eaa0c67f1935845765a544444141de746cbcacc8dbb7504932afb45b83a07544ab0007a99765285d4d7f6660b8fd41bcaa585a82915c764b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7486a75680a07121e85a073043e2ba8c

SHA1
7d9b2bc0475fd815f44a6ac374f8fc8f7772e3cf

SHA256
d3a578e80e7b35bc3966fc2639a8e8e699e11ffdeacdbc066a53d5158b59b4bd

SHA512
563a1f64f2389d7799c9cac77be4ec38aca53d7332483f909eb077c78c32de9b8a0880ad289db86b1f159c7997f0d794d12786384469542478e59182fbcbebff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4fc02728a3d24570a85252aab00c25fc

SHA1
f5bd29b90442f4616c6799a21fc9feb05a783bb0

SHA256
2d32348731d230c8cf3de2c101da145f86d09edd318a90dee36977056232de6c

SHA512
b6e15b08d0bde43ebb73b276e4c4320f26bb61a0a7c7992ed93c863bd9321a3defe581c23882c76c73cae6918df0e2a4b8bfbb0119237178db73aa3382786ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59213049dc98b3fe27fee7bd903b3693

SHA1
ebe2016ebf377a8a1f3c7084acedf6cd4f67ad70

SHA256
13e4f9198b3983ca65cce009db51f107129a753b31b1937fc06436c71deed61a

SHA512
d4c84adbe9b3a9bc46f2f3870bd0604ff24f1d11bfff6702025919040577e682301afaff2b86dc00be7c46645168c5f38a00f98d10b32a153cb9d927d9b600d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
5fea260df7da4f1c708b731cfd55876d

SHA1
6daae1491e76cf778d75caf718723835a70a8399

SHA256
b7843f1c8855eac84aeb9577d26873e58070d87f505cd8f1b36f79a0cd08087d

SHA512
100f37583b33e443ed7c0cdbfda47a510149c366209d95e60fefb2fc1342c50510e6282247bdeb28ffb470bb3b8e9a84e48dcbe4900ea817086166416852f378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e222.TMP

Filesize
370B

MD5
5f980f1a0ce438e53cdab50a6af32c5a

SHA1
7828606de163bf28ef769e0b068851bef1c2cff1

SHA256
85861c446bb48bd497c4560a0a4a831d156d8bc4663c4dd104e1f0c3deda6a17

SHA512
0cc28fc1a7d53d801e2a8f09bb9f0d3b5fc3d740bb280b0956d38dcfedef132df1fba7b643826bd117c8b9cd05f9ed818be05337acee8f3d25a40e3256936abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b455ef5447dfae19bf5718a6c33fd38a

SHA1
5ccae9daefe8b04b611b24671cd51c6cb69834e5

SHA256
69146c2c7f267bac0c25746950cd0d9a91b5f8dd554cc880ad8cb67c10cb1ee1

SHA512
e5ff587337826817cc558b3713c83e54d0f003237bee56b1a49cd4b55e0e126eb03d56cb8cd7094371cbab60a90349731f2d26c6680d0172ba48a89926f03bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fdfaa9f1fdb6b2eece83687215256dc5

SHA1
5f08e866914c8b6a4dadad3018188b13a7412bd8

SHA256
63c55a4b988e2ae9e30ebe0284235087f325fe32cbbf80103d8dcaa7d1555976

SHA512
e8f3b673fe79ca8322df02c616897480b738161683efb142e63dc37181e8a0065c0d3c6b85f4925a24f2ba27c403f35fed1704b2ff142df77f14cd019392a49f

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0𝑅D-3517__Sat-Up@!.zip

Filesize
24.3MB

MD5
90fba55a5c4b01904f5a2bdab89386dc

SHA1
caa620c8e8515435b7b8ce06fa428b779f176041

SHA256
7580aa09c3759027ea913e5f76a3de6804973f36fadd396eba6133844b772032

SHA512
a5de64c7d63dd8b415ee025b8226af6873260477010d68e40dc8f20cea132b89ef1ac0c9c995b17a05a3e5fafac1c37e6cb3358f0da888fea63014e2322de564

Download Submit