e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18

Analysis

max time kernel
152s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe
Size

952KB
MD5

c0da389f251c8999145ac74a5623b953
SHA1

8c13c232d90d8cce78b289794ca816ebe11dfdf7
SHA256

e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18
SHA512

14c875f80a0856eb1b7e22aa78a0a3e44b505ec5a126df171a0193c4568d1665efc22191fcfbb903822c4a73bd09b9f458bfa21da49483b746165a8c8c8788f5
SSDEEP

12288:oyELQDEI04EAihYHfXDc3pW0MIVABeTQLvGIUgm0mVd9Z:9ELQpYac3pW0P6Be0L+9gm0GdH

Score

8^/10

microsoft persistence phishing upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1196-132-0x0000000000400000-0x0000000000514000-memory.dmp	upx
behavioral2/memory/1196-137-0x0000000000400000-0x0000000000514000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cfb271b4-13f8-46af-b3d9-bfd489624620.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221127225707.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
2540	msedge.exe
2540	msedge.exe
4780	msedge.exe
4780	msedge.exe
4420	identity_helper.exe
4420	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4436	1196	e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe	80
PID 1196 wrote to memory of 4436	1196	e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe	80
PID 4436 wrote to memory of 968	4436	msedge.exe	81
PID 4436 wrote to memory of 968	4436	msedge.exe	81
PID 1196 wrote to memory of 4780	1196	e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe	82
PID 1196 wrote to memory of 4780	1196	e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe	82
PID 4780 wrote to memory of 4724	4780	msedge.exe	83
PID 4780 wrote to memory of 4724	4780	msedge.exe	83
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4436 wrote to memory of 3656	4436	msedge.exe	87
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88
PID 4780 wrote to memory of 3840	4780	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe
"C:\Users\Admin\AppData\Local\Temp\e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb943746f8,0x7ffb94374708,0x7ffb94374718
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12716896165852339253,14159567478142658355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12716896165852339253,14159567478142658355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=e4a107ad4da57865e1f6ae2aca4b583d2b5af6d6fc339875aea6aa2036bd0a18.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb943746f8,0x7ffb94374708,0x7ffb94374718
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:3936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    PID:2224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:2676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3880 /prefetch:8
    3⤵
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff717155460,0x7ff717155470,0x7ff717155480
      4⤵
      PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7032 /prefetch:8
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15278101538692729053,8443688438469367387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:2
    3⤵
    PID:2868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
8212d70c86ce431d59072c64f70a8279

SHA1
b221f0de1fb741bff50d0536566f1a9602757ee1

SHA256
b43ab742a745a5293b46de337819f22995835f52e29656ff8fb2eb5a1f569229

SHA512
08925c1502691ca0eebc03dcf82ba0efba59a3c480edbe7ace5632fcd2cb4d03895bb3babd41effa627b162bd3d88d51b8daeeadd657e49d39b4ebb202281d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
045ad7642fccbf45c28a491f1cc1d389

SHA1
11e1a8c5afbd2e30fbc24bd19cd496e503738cdd

SHA256
98f9759561b41f300450ed0efd7fd584fd4098e80913df21ac4707f912a30527

SHA512
69ed1f3865b8c72d626f8968b8979d0262674f862417cbe6453a4da99d0a8062b1c5e64f0c8f631d25352383c4ff16d7d47291e3a286b5b6071c80b81691de66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b9373386d2a022920edb626d6cab577d

SHA1
23aef04d1f6313c5472d0317d1a7a86bf974591b

SHA256
efff77603045aac30c50918daa940505474961ac921c070ca8a1d7d01c6433d3

SHA512
e169342051e6b574ccecc15a161e38a1a5357fc82daf98cb4f94c6384e59b9092fe86948909e607b68f24fddf6781d98ee8f4f9b06e82ca22019e707d8906bda

Download Submit
memory/1196-137-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1196-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download