630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js
Size

475KB
MD5

b3466ea07dc83fcce7eeba0dbc1c8aa6
SHA1

1aeee7429327e3241fccddd4b2f06b8e6fb67ab8
SHA256

630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc
SHA512

f8b4f246112071a91c125ce6384a0b86d6be1b9631801e53e9e4f2b8027b4b5acd9aedf8b4fab7c7dd69e1729f1ef27b2aeea1f940ffceaf8f2abd320fbb57e2
SSDEEP

3072:VVnNs48OW0kT97kFUxj3mKMABR3R7DyWvEXNemiS0KPMID5whT0bMNj69wrVRs3f:nbkw83zLJtMtwmIj6ERCcXhe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3594324687-1993884830-4019639329-1000\{9E425B43-2329-4983-A21D-38C6CC78CE53}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier msedge.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid process

2392 msedge.exe
2392 msedge.exe
3680 msedge.exe
3680 msedge.exe
2036 msedge.exe
2036 msedge.exe
1748 identity_helper.exe
1748 identity_helper.exe
2036 msedge.exe
2036 msedge.exe
4036 msedge.exe
4036 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe

pid	process
2392	msedge.exe
2392	msedge.exe
3680	msedge.exe
3680	msedge.exe
2036	msedge.exe
2036	msedge.exe
1748	identity_helper.exe
1748	identity_helper.exe
2036	msedge.exe
2036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3680 wrote to memory of 3352	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 3352	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1708	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 2392	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 2392	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 644	3680	msedge.exe	msedge.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\630a2dec95e68275d9ffa75a87d4809a9da69434c30cd95099fa401c9e4c9ebc.js
1⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2ab43cb8,0x7ffa2ab43cc8,0x7ffa2ab43cd8
2⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
2⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
2⤵
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
2⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
2⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
2⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
2⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:8
2⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3852 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1624 /prefetch:1
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1844,17141494840154740769,17258325425529026626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64038b2c-bc63-4b5d-8c54-354ab70b3264.tmp
Filesize
1KB

MD5
6629dab113d234d0d005ba422fd2e9e5

SHA1
7bc965ad762db5254a277eb1be57930a13b7eb92

SHA256
7f39b496bd5e79370451c5f0778fb1ff246aa233a2920b76156a44e6912ec504

SHA512
258b03df29249958739a20eec031d88c0053a92c28af42f1899707170b693ecfdd6c123298f363f2b7de18619488377a6b4e592bf3eb5ba26a4de436d84adb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
fc184180ad09ef27db0a540f527f1acb

SHA1
391db94f41e67619df2ccedf08476131a841dbde

SHA256
1fd95ad0d428b5dfcc92e02a10d3ab6d812e44ea3a73a9655a5b43de172d3269

SHA512
907ab66e9f4e82f26768c4433be05b0c75238fc78f51dfd359de0b946e8a068cc0a9b9e6c83be5512e9175d753aed6d7b8d2f7c134ea75d522511cc788ee4248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
784B

MD5
ffaf5d2525263eebc49ff291a474a633

SHA1
1b0eccc701347f6a25d0319bb12f3552f07da57f

SHA256
4ec84a82104511b7cbab57a9bca8d1a43f4168faa96ff7d1e520d887eed51b1a

SHA512
2ecea309e115f7b2b83ccc0fef960913ce8cbe24857620a4b64d9184ac671201630a0fc3065625f5a4c8f2d1f9a5eaac7ed7a67cc2a25fae3f62d23c76d61780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
905a2566784d871b1ccee6d69a717d08

SHA1
49709fbbb1040256c263a28a484db2ae17fd566d

SHA256
829c470c1fd474d5fbb499fa3c0407fa5f8b6bcbd6bb6fe194213501e2cc6fb3

SHA512
2bfddb813f2c1aeb49531e64b4c12973f988e95f978833ba6041c981a13b43645ffe992562f71be4ed459478fcf57a67d04e41dd01a78522e62c5cc1059304d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b194becde89726c4935b788652fd4323

SHA1
bc845e37aa985133f141b132f65cb215ad171b06

SHA256
8556b895244ce60e217cdfd3bff496f9754177a952be78c777348ca1bac29d16

SHA512
8935c5fb645039fe51f6daa777f365030c20bbca51c48f96a050d9c5217a964fb6d7b0b5b4ac6d8d94c32663e204f2f1c34879e422436dc7750b38e1d87a38c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5e3d3dca13a93128b331cc08eec981b4

SHA1
84ccf42cf5412ba5c7abd10a33f28abe430f28e9

SHA256
5463d92dd47e3dcd8ee44feeeb6d05148d9b55fdab816a13a378657d41bafd30

SHA512
827df1815fe8a8ba2dd5f8e23d65908871c69581d4c183222ed8cce76b4ad0b2c992fded8d4f2293a0b313b9ad2c7735039249c275b0b416c18bc9caa058d1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
03b0297f4b2ea16dbff54352d11cdfb0

SHA1
8257c166fb43f244336c9ae791de30bb2be5bb19

SHA256
53543a35f8f7832fa2cd784d84a3e518e7e20bccaf729fc9e6fd64fd6479b610

SHA512
959ab567878dd1d31a85b2a43f421fab753650b82f43312b053c42624e0a55e2cd5004577bdd694929192ff931872458e5676227ad0778e62af8fd7c7e6cdd99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1ed3d585ce99ff779c7120afb17c3a6a

SHA1
c44117f9277caf2a4942b51efcd2c8c22b23f376

SHA256
a57775afe40ac8c14c9cce6151d5abfc31dcb2e0efb834f5ffef70e067fa9ec3

SHA512
5c33578574ec2d93d64057802bbf8abdb51bee0f662ae94b79b063b36b0d8b3b4335dde5a1955e012e6666f50b9bdebefbd71df2fa388821357ddeabff0c1709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
dfa1622043a6c5d69eeb9dd114226a48

SHA1
34d5afed01e6d3c51c511eeed36f359fd26a1fa9

SHA256
d05fb01476e2203c6c6d8f1303a86cdde4c23e621ccc53574be2f7c36a3e85b8

SHA512
f25b5c35fd63a4e7744b262fde067cbf36ea8be609e5c738ffa4ebdd5a879d8954ee3fb32e592acfa6fee5372324cf2d866617808abd08dcfb54e76d4937a8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58726c.TMP
Filesize
866B

MD5
3f0ee2a531678712f15d1a3a62638438

SHA1
4d9d9cd4ee7aee5aaa1da1020150d6f2082753fe

SHA256
aecf9ef21bee4107db7b0669476c2f7ef92e0d41a9324308fcfee4082ee5ddc8

SHA512
24048b7f6dbb06aba9f77d6a6322b780b2bf379d0cd2d664dd46ad41c4b65bc666d0510444b756c68ec362df96379359c471b77526c6a4464539eda75deb34be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
913bb2d3271613a57e0195c4d7467238

SHA1
ad65dbaa668e85c556e7e89eb83116d5fddb9be5

SHA256
10fbdfc2236d97faab7973b854cdc21957d45908740b3bb030c9b62a7bcf3a49

SHA512
e311d4e6e390492933161a117751dedb78c8f694586848d52aed5b38327fc28943a8de437aa80322bf061ee84a76d749a50dcd09e6fa727f23a54ee136a2313c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5e520e4a224fdae2745dea497ef19772

SHA1
a44fd8f29d6c86bb5aef2eb4ae501986f29e5ad2

SHA256
85ad2bcbe068675066e971fb55c1eaa686a15b3f27b9eb13eddc0173f84dcb2a

SHA512
575f9de4ec7fdf8a4167ee64d5685e6679559f8d811ef0de2bc7944d6a878947e3d836e9ef9814a33d7fa05a2c205a0880bf37aa8d63c1a13fe8c5b09e55724a

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 838840.crdownload
Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
\??\pipe\LOCAL\crashpad_3680_QUFGATKKKCTCFVSV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit