hxxps://links[.]dropbox[.]com/u/click?_t=60154b197d654466a40480a2b908d3b7&_m=6bdce31437e7473d8d925f3726c3298a&_e=Yj3ScY5WPxx783MV9WbvUM9uO4z-sSsjaZrd5_b6I8_uGx88nzjE6AhLUjkioFkcNQYVKnhUdCqdi1_mvuXRLepAjsdWarHZUH50Fs9LCxyDdBhzDvMOxCuI9I1wsm6A5oKZuuWjkbfAUJTX9VHM2Gp-qpnTWpjm7ch4KWchR0th-8M8XplIfSPmidOtwr0TnTM8mjCupuCz6U-HV5JzHZ1Sk4lJj8GB2g5XsuKMWiFmolBLe4yKJNtzuY9u5W-k2sQDZz-KAvYhwPhaVTjnonZ5vnQbmsmimzJSNE3ptKtx6KzNYMeSm7lr6sUUmHR61OEHXW0uBPv0YTViPrDWckmitLQiRmfhKFDx55KT6DAB0wrBHInacx9ZGjpEHFd-AxiF6PEpUjfH0R9NNeU34oVMrjvmwf5U1EZmf-rLnzs%3D

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://links.dropbox.com/u/click?_t=60154b197d654466a40480a2b908d3b7&_m=6bdce31437e7473d8d925f3726c3298a&_e=Yj3ScY5WPxx783MV9WbvUM9uO4z-sSsjaZrd5_b6I8_uGx88nzjE6AhLUjkioFkcNQYVKnhUdCqdi1_mvuXRLepAjsdWarHZUH50Fs9LCxyDdBhzDvMOxCuI9I1wsm6A5oKZuuWjkbfAUJTX9VHM2Gp-qpnTWpjm7ch4KWchR0th-8M8XplIfSPmidOtwr0TnTM8mjCupuCz6U-HV5JzHZ1Sk4lJj8GB2g5XsuKMWiFmolBLe4yKJNtzuY9u5W-k2sQDZz-KAvYhwPhaVTjnonZ5vnQbmsmimzJSNE3ptKtx6KzNYMeSm7lr6sUUmHR61OEHXW0uBPv0YTViPrDWckmitLQiRmfhKFDx55KT6DAB0wrBHInacx9ZGjpEHFd-AxiF6PEpUjfH0R9NNeU34oVMrjvmwf5U1EZmf-rLnzs%3D

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{F1E53E11-3AC6-4E4B-80E5-9744AD4385FD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
1960	msedge.exe
1960	msedge.exe
2796	msedge.exe
2796	msedge.exe
4652	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4460	1960	msedge.exe	84
PID 1960 wrote to memory of 4460	1960	msedge.exe	84
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4532	1960	msedge.exe	86
PID 1960 wrote to memory of 4152	1960	msedge.exe	88
PID 1960 wrote to memory of 4152	1960	msedge.exe	88
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87
PID 1960 wrote to memory of 1576	1960	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://links.dropbox.com/u/click?_t=60154b197d654466a40480a2b908d3b7&_m=6bdce31437e7473d8d925f3726c3298a&_e=Yj3ScY5WPxx783MV9WbvUM9uO4z-sSsjaZrd5_b6I8_uGx88nzjE6AhLUjkioFkcNQYVKnhUdCqdi1_mvuXRLepAjsdWarHZUH50Fs9LCxyDdBhzDvMOxCuI9I1wsm6A5oKZuuWjkbfAUJTX9VHM2Gp-qpnTWpjm7ch4KWchR0th-8M8XplIfSPmidOtwr0TnTM8mjCupuCz6U-HV5JzHZ1Sk4lJj8GB2g5XsuKMWiFmolBLe4yKJNtzuY9u5W-k2sQDZz-KAvYhwPhaVTjnonZ5vnQbmsmimzJSNE3ptKtx6KzNYMeSm7lr6sUUmHR61OEHXW0uBPv0YTViPrDWckmitLQiRmfhKFDx55KT6DAB0wrBHInacx9ZGjpEHFd-AxiF6PEpUjfH0R9NNeU34oVMrjvmwf5U1EZmf-rLnzs%3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffe223246f8,0x7ffe22324708,0x7ffe22324718
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6393786686545484737,13528690157036364281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ed0ae1eb4f93b64da29470adca6a4593

SHA1
7dc53f1491c522a40a76f59fe3f9685b1ec0ad27

SHA256
ebb96ed268e089b8894204bf1eafee1ed180add3cdb946781425997ac6f35a04

SHA512
769a055fbe85c063b0929a698bf50b9d0823a2df3e43b2cf3ff68a3d89036ba4851b97ef8b36e5986ba183ed8863fd168599e13665bdb7868070e986434764e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
70c61d82d37ff5b172b149033f6407cd

SHA1
646a7821197a968f57c5d6749bd18657084145bc

SHA256
679131becdb3c1b9d5fb79d02ede3307e23ac4788467954e05427ed449420887

SHA512
d105355b55f2871e0e38c16b74971e52961de7bf77be37822ce740a84760a876a0725df3206259a2f0b386e03fc19170cda8ae809cbe7270701b797761700c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c68ded57d323814adbc6ca436c78242

SHA1
99ec4e6193afb5fd520adbc25915b891bba786f1

SHA256
9fcdaac2ad5fecd25b660e4b2f516b2d3fcbc24eb1d276a997ea7773ce9a216d

SHA512
cd9200afde467e16e0cdf080c926e838b9dea844949e60c25ee8eed187cc668a3bfb3952661b1bd6284da32d0134b01ee87e0551601f7c1d02cca1c6f4072bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0b18b049b7670bc2f6a3e8ed8c2aa47b

SHA1
8cffb991f3fdbf4d201eaaeed4bc277e17ffd694

SHA256
73faaf3bd31d4bbd2d8c72d3ba3282be2fd5c84c53a7a89b624d0a5dbab80ae0

SHA512
ddbf9b9ea6e629eacc9e2329a583e7d49576f3e057eafc315821fe1e9ddce69ec2b0e51e07cf90de5faedf6cfc86aed51e0888018d3d1a3555d739358ad7bca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b844ea4f96da6b6e05caf7c9b88326c

SHA1
542888f12bf7f47d50a9f12cd9360baf22df29db

SHA256
d6b7c53b2334f6ea1bac0b1e265ab9a1f492690d0f3f17cabf5ad1e33088fdce

SHA512
951f2fdfe9ff9a442367c5d7d4d6e7f22946ec42dc3505ebda1508e8b7d96d1f648ad750b902ccb8083045c936adbd491d48bfcb27ecaeda0b13f2934da8b76f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
fff455090af88df3372e99e9f79a90d0

SHA1
909af44ef5aa459b57adf99adac38d5765a585ea

SHA256
995f08914021718fb23f0ce9bf0acbe301577653fb3a4c0ae91aa3aadf1811bc

SHA512
562bd64894356c23ebbe7928ee5654e216d1b1d78a1d03c13f76020ab1fbfcf11da4746a2681380a8bf1b0b5e8d35a6bcbcfea90813f3f42d4ef8574090ce8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
8fec16e7bcd3052aecc191dffd2f85e2

SHA1
3a05a769fe9a2629e3580da79c2bce4980d52145

SHA256
c9841900bac92f636af4401f82db9609bd71fd4c8074477daf30e4514ecb3e7f

SHA512
20114d12cd0d50a1cc9e31f3357eb54230d86d7e18005823affded0e5a7cb5d04b31f50f56531b68d2cb1d506888fce88d8bd8c1215c29af22ada12c43c7e365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
f1565b1bfb1c3fef31e7f2b382414065

SHA1
55c3ba0f3ae808fb7b8a706f109b4944283523d7

SHA256
d96d9203fbb538e15d68465abee193e44be215ddc24b1444e9463b20b971568e

SHA512
87f2562f5f00bbf55a414fd88e78e50e84df96cb058a095f801d297917e1e4fcb35fefac98890243234ec17b204fda8f6c6a3c0c4897b00cdf05c8257ca777fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
a4b1c78b7b89a6e8184624e921e750de

SHA1
0147b3e9924c6529177a884a7c5d0ecec6b3d022

SHA256
8ad516c46e5a8eadc93b40ba86ca5f902f6ee24d07a7dfadc4c7789160670845

SHA512
951a6838e366baeed14de8b3aacba3aef59c17d46b50e3e0fee128e72c7fca65ae7b6f334b3014b5048ab27ea1fb8ecebd5ffa0158f511a722d755ae28bddbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
8054129f85f6a1b048391da22264ecd7

SHA1
4657ee391b0e990762b2dc963c6fc82e49ba7a49

SHA256
d8b714badade7a81e33c5cdb70c01c2f3293d04e78be86f3669769c7ac7b4cc7

SHA512
84aec28d1474235b391dd1e93e09744cac80c7249de49717af6a0734bac49d0b28a674f773c48a8634326c74077f3141370a8837907881667c5fe4120d3d4e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
4c5f10efbbb57cbc3d3b4f4b3661ea5c

SHA1
da4e785dae8ffedeed1fca4a8357b8434a81ca12

SHA256
d27eed48835a4d948c6202b1aec75e22703177f0a646c0cce2cbe2a9f5a7e0f9

SHA512
59d3640a4fdce497deae9b57249264a07c241e7e99de352f8f6628c217116c7821cbded71abf248e8411ec928e12e85ebce0ec7a9e592fddbf43930852bd9fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5868a8.TMP

Filesize
872B

MD5
dfe5d706646cee8726bb3d9dbf25b73c

SHA1
93ceca44798fdeb076273cc5e63a9c2c98a346d2

SHA256
71baddc96518f877910bc067824a949b6c627d935680bd3da2fff30d187a3551

SHA512
ee2bbea571527bd8d1894e96eda1a67cb247d3d2e10c67087c88911f0cfc22442d32675e3477c92db3b8b0d346811fcf0dbac77caf000c18624e91a243ceac17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ff7e7d90-f195-4762-80d9-d7b06d528d23.tmp

Filesize
870B

MD5
7631b5c16a72db3753825ea75453d7d9

SHA1
dd3ab076f22f969ed2c0411b36dd42612d11552f

SHA256
18fce9eac528b6c8be341eb672071eec8c47c330713a485b2c0b7883f533c36d

SHA512
e4d8145507989960d5a125b16fe0e86dbcc9b11bbe5133d9832dcb578883b7bf145a0130eb9c2f703fac92646e0870e658d790c90ba198effff6a5001894bcab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
68fead407ce10a098131e9fd52d9f329

SHA1
ea7ac51feb1598c2194b4d23f3c262c2832c92ad

SHA256
42ceabf3e357257365fe925d54373649b6f958531a13642cc48ce1f1cd290bb7

SHA512
a3f2ecbe1626bb794a3dd30fd37a2fccf8ccdbf9bbbbdde0111bf2a44fc9fb6501ae53811763e48ff7451fdadff8e97c6223cb9bbe6da4e494eb3b5daf2d31bf

Download Submit