0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2023 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe
Size

790KB
MD5

4e684d79bfb7ce0656df64f822880785
SHA1

27e32fd4bed5aa83cef0e65f2b89c581652ac7d9
SHA256

0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457
SHA512

b3cbbe66ecd10e9cfaf959cc3846773528b85e06ca4e042b44a3ff04f3b4ad98facc1ce7b7d3cfa8e94afb8ec21831d44c93890296b3f6e272274c0aab389ee4
SSDEEP

12288:6tvs2ttd1PuZUiMqylDxljISy1G41To6lG4/ehhWXozx:6tvs2ttd1WSiDyxxJTy44Zo6lG4Wh6oN

Score

8^/10

discovery

Malware Config

Signatures

Contacts a large (760) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7034f3c3-3cd7-410b-9e9d-3d41c6b0311e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230308003508.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4952	msedge.exe
4952	msedge.exe
5904	identity_helper.exe
5904	identity_helper.exe
5888	msedge.exe
5888	msedge.exe
5888	msedge.exe
5888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4540	0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe
4540	0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4952	4540	0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe	92
PID 4540 wrote to memory of 4952	4540	0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe	92
PID 4952 wrote to memory of 1904	4952	msedge.exe	93
PID 4952 wrote to memory of 1904	4952	msedge.exe	93
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 3136	4952	msedge.exe	94
PID 4952 wrote to memory of 4108	4952	msedge.exe	95
PID 4952 wrote to memory of 4108	4952	msedge.exe	95
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96
PID 4952 wrote to memory of 1084	4952	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe
"C:\Users\Admin\AppData\Local\Temp\0bd4fcdcbd8742f9d6013215784b468ce76b647e1ffcea919c63bfe70b54b457.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.oneptp.com/ax/?uid=507801&ad=8
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d4646f8,0x7fff1d464708,0x7fff1d464718
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:1
    3⤵
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
    3⤵
    PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b3255460,0x7ff6b3255470,0x7ff6b3255480
      4⤵
      PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3493692909993150325,469981092830838828,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5080 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BA79029EC3FFD076F5DAC2F70A18685

Filesize
1KB

MD5
10acdcbd363e8bb18bef42973fc98b5a

SHA1
b000860b66aa964c8b7073fe736d6c84aeb69f7d

SHA256
5c353cd9f6e85a408242f8e0bc0158b8e3b975173253f4c8e553b1acd5a836d9

SHA512
a642545beb57fc22fb18d34471be79bc7f0279266b2e317af1433e01c426062a0048d6087b5955001126a64dbe79a189c70074daf16048716b48a4d6b6dc7665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
848e4c351740cf26cd5000af2d2da5d1

SHA1
2d197e0f864cf8b2262a10b50785636f99d18957

SHA256
7c167491461e51b0d6f510890fa2446c7e041464cb057046b7e9bb962dd87f2a

SHA512
f7ac550fab05df94243a181f040441e2c0563686b6f157e64f9e1d4c3f5987464d798e4090d404bc5c60351140a2968b49fd81d723f9fe5c596e3e524cdbbcf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BA79029EC3FFD076F5DAC2F70A18685

Filesize
186B

MD5
576ba3ca1a99641e70ace6931079946c

SHA1
518260f92290fa5f7abbe9cfbc4b089fef8775b7

SHA256
1b6f185c1d7d5988b99559e67b964a1213a905a4e5a0af7858e4161e0abc1bd1

SHA512
82d2891c4a7d3efc0ca8e61f542941b374641c51518ced194faa710ad79110c0a3ad0edddb951aacce68cd9766d89afc7925f81fca2c5fa4b0af1ebfb50e26ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
36d6727894619bd104dc75ed165e0e32

SHA1
630c6e8b0a4f9e0c96572aabcdde7a70ffb2706b

SHA256
41e05b1fa984e87782aeb529fd018550f52274ed3db8d2c36213ccf44a14202d

SHA512
86b0d0d48ea2619420acc7b05d8b3291c92a0767a79adc7ad23966bac4f5554b054b47da927e9790cfaf458dc0c4885c9ca294311e425598ffd526ef022d6044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
61KB

MD5
7a7b9c4a8624adbb3645ef99ba374353

SHA1
2bd2d23ddd06ab143ffaa54f29fbfc45bc18982f

SHA256
ff913aed84077f232791314df22f4d3eb0ab4b08a3a6b2276405ede624a26404

SHA512
b6a9496466b7b9f6af46886c1b5b0c888b071039765ed25e9837d858fcc110f13136c1a3a53a1b69ec30dcea28bacebcdd2c232cb72148afd290d8a7e908bb79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
b232c02cb0ef22b7bbb077964c66745d

SHA1
7c0044dcf3c74c2785291f71a3516378e4278e63

SHA256
f9245f1cd2af8f6e5cae4f92ce215c703a535cfc44341f68f5258995de944a55

SHA512
cb9eab7ea4f3c2dc317f713609a9447cd3526d00aa0da977bd9625aa6b11ead0eb61d22a04aa9fb34be9f53396022ce517d89c3a81508ceb69e1aaad307f89ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe577908.TMP

Filesize
48B

MD5
f0b269fb65068a8e8bff6776c886ebc8

SHA1
79ca8caadba4368fc38ac4ae1473e8076b78b54a

SHA256
d7ade2e23e7225fa0846583063b22ffc8069f90febed25326968159cfd7347c6

SHA512
e8bdc2f6ac973c595d2efb5c2d41f429e8e821152518bfe9667722cf372a863159f58c1169b596a38c1bd72bc89922d6eb9a2268c6f1488f2aac819baaa854fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
72126554de8aaea7cb20bba745376d1e

SHA1
7ea2c863a4f3b7010a487b9402f7cefdc870a528

SHA256
be866df9a04c0fb860b377dc9e0472adcae766174f1b52cc8bbb8e88dc2c1f57

SHA512
ce77346dda0568af0bd7dd849e19962cc1ce7941b0c2353863a530a2471d60eb42b5fc08508edaa587365c3a34ae9b36db956884d6f7bc3cbde8f7c96643c07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6b56778dd2be6697e2fee94e63e65b43

SHA1
0b28b4ca7d9478d67cb934852f65b52bf821eef4

SHA256
986789f5232cb47419a00a12e709a91b58fffd8bdbeabcc72f7831e6aec9a6d1

SHA512
4d6c0fa08abc2d9063578929fe3a7c99333b3b435759a5c1f73a2b2121b1128b54debc043af22e8db364089a45bf230b30739abd2673aa1a6c99f91d2323faa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
69047ff2cd4553c72537c5cbdf3cdc70

SHA1
6ffb0a839ffc17670bca20c0bc1fd6957b2e7924

SHA256
eddde6473b71a822fed7b88ef75417ddb6d454286154598efd6bcf546dcfaa63

SHA512
dcd7b9f0fad19fcfa284ca311abc0d0b17ffd8bebb98a7a486234e556dbb4f2d9e0f999210a63e928d76632df03aa855da76e277dac3469f53f754c1340c0ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e419dec006a09a0229b5b81bec9b464b

SHA1
9755cc7b8f029b2d74e680b3c3e9ddba0eea5284

SHA256
27e6bd68f88641036b0c514d534b804e9752c7b9069430b18b9dfc2d25de6f66

SHA512
e1b6f0606ea7367a44660f0da6286a3b16c345f2cfc1f7951758253d66434fa649ca787f28cf0bd6cb92ae0cb242100db5e1674f04951165c97552ad37e79c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b8e76834b59c886ea5d4232e2a3ef7e

SHA1
11b5406a6f50ce30129a47d9b0e67d585fdf96d3

SHA256
f1ba577c4c68f9ac6003045b47416894ad75d217762e044ea9ece70cdf186f2f

SHA512
5b958c0de6d8e9d10b6cdb36114d42d68658dcc18601994d2b7fdd0134e56f829f89593ad2328579c4dc1c892ac940bd3d05fbcafd3353da8ab2369f90ce1dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
74ddc5e1484fe90f160013ede3d2d9fa

SHA1
4638ad6eba48ecd73fcd05e315e0837cf96c5dc1

SHA256
7bbf73ce60e8590510296ee3b2923c67b3f0cdd43707a903dde1f286e018a011

SHA512
8e979e6f48f9f40b10bfc3f5096c0938719ef2734711e8c8bdd0d2358b11247899c0060fbc8dfe0f645526f05612275e12404fa9b1c2bc254ee7eee3586046c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe574277.TMP

Filesize
1KB

MD5
cb451455f0a811d21225da3fb5f66282

SHA1
45fd38cf4af05c28f741af66d7db5e121f8ff55d

SHA256
d276b1978fee4f5e520da17b85788ce58f1a70727a611c08cd6c8c51795f1d50

SHA512
e7617328730a8c90f1b0d140dd88484c797581cd4140b75fa79ee1409a64654c0a4adac4823990fd08c8ebd673e233dc44155c60b0119494750a430500b89884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
a1f9ddc5ff5dbc7b0bbe624828a1ca51

SHA1
70cb25e6436aae957014a265b42938de7a8efc97

SHA256
e3e9bdd70785245b6f9d9a92e1192eae5d2112fe8486eaf2c7f1ae6e0d35c4c0

SHA512
9391f666a3449c177e40ba9894efe37d9fd442b2c8ded2f2eea8a8157d3ed9623b4bd091bfce1f53ac48a6d07493b392bdb0b06136063551d4e44691b28dcdde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f49486e746eb7596802fab74e85a8724

SHA1
63f4ae18856c680cb67028ba252aa9382d4169c2

SHA256
4d008f631698ed1b7b1e762ae258281099cfb60d3169a0e7f837f2dab2077d0c

SHA512
b27f3ec4da5e910d63e832cbccf28f3207147db6269fbcd13594aab690c44ff14f4b4d909d9add66416a57445749cebfa1f052e5723a02a836116b8b5ea8d3d8

Download Submit
memory/3136-155-0x00007FFF3AFA0000-0x00007FFF3AFA1000-memory.dmp

Filesize
4KB

Download