hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
170s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2396	msedge.exe
2396	msedge.exe
4912	msedge.exe
4912	msedge.exe
2760	identity_helper.exe
2760	identity_helper.exe
2024	msedge.exe
2024	msedge.exe
2708	msedge.exe
2708	msedge.exe
2028	msedge.exe
2028	msedge.exe
2524	msedge.exe
2524	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4344	4912	msedge.exe	87
PID 4912 wrote to memory of 4344	4912	msedge.exe	87
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 1992	4912	msedge.exe	90
PID 4912 wrote to memory of 2396	4912	msedge.exe	89
PID 4912 wrote to memory of 2396	4912	msedge.exe	89
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91
PID 4912 wrote to memory of 4980	4912	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfa5846f8,0x7ffbfa584708,0x7ffbfa584718
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17235461928805818770,8219957316788032984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8c6dae6b5bfa6564e8b87203bca85e68

SHA1
c73fe610d17a8c105f86e3790bc200e997655638

SHA256
55f57269f4d3aa90fa11ce944c8ae689932e7cf26574a38abcc2e705f6cee0c8

SHA512
9ef112c05995cfe4bfe0abde8bbadd88f2948f4ee241307dd95df91ab61b4119d9177465bddc2acab363e42c413af99af709987b5b4112a4897fbf7c6e03cc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
109e1c30065476263eb3df76b75f8a07

SHA1
54284ef8762f12c35066dbbca9c13f1e757b16c9

SHA256
ffb041926d8ccb514fdaf2512ad1119309d62de0256616b7e538261ee7f8cf6e

SHA512
e11b3bc1a0f2a1053f218807de15395d8cce78bea009627164bcb907a646e0592fda60ce929476669e61f6b3909c5924ffa3c894586f386ca3524f04de9691e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6298fbe2ad09b06a051158d56191a3d6

SHA1
29896875a3aea092c6be6d8d33330732b17f896b

SHA256
ae3f8cc33a80627647ed936fddfd46fbd0e3a63f1bb66e4537ef128af7e291af

SHA512
8431f5c3022591c06068a44182feead93eacf04e3cc75a34c6491f3ccc105e2699cec7ff38550651091306214d1f3eaf30a131767a8a4377834a6daa1b34f003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15c736c0379e4a51fd9ded6f01fbd046

SHA1
500a49c28cc5b3eabe74b7ac99436131eba97f09

SHA256
81d662cd3fbe6b9a4cc613b09ac8171c69f9723a94e81958476161f868257d11

SHA512
b36b60d12591facfce6ecb13dcfdda6c3470e7931878aa68e705d0512deac5938de1fcf572fefb561aaa989a91abbbf88ee45e342d59fd2c56df12b066eb097f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89702ad236a4b2f22703bda3eea214b0

SHA1
24b96d6ba94bf53eb5d1086cc02cefc4295fed2b

SHA256
ef7eaf4cc6c15ca2cc67fa6710f7472eceea8af69d43d95ddfca856c23d0d1fa

SHA512
4b897c13ebc8d064ae401e38f3d4604d8c5cf86f8002a77617cdbe62c2d8a57ab6e3d2b679a9200d49a1f448b6f1b9714e7bd436a3d6c248dfbcbb1a7999acec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58b8a7b7be97b072adaef03c61b3bb43

SHA1
6f42aaf342f8dbd8bf38d5d5e7ea234844046c43

SHA256
74bd61480c06d9d7f71b8c0f9a06a50bafe77dd38d6916f2a258dc3b924d2277

SHA512
7fb9a7c7e11795c03356d01db7de9cc09f0e22a535660e8ab8cec45dc0a06f9dad22aa19937e8987a2d209ce84ca5f75b8105527ce9c064cdaa76eaaf0864c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a514898f27ebc1203ba13f4e7d3264d3

SHA1
660297454523ab93cd5be98202033022a6f289df

SHA256
6ed823b98924648ad468093e780e2c107c14d88b7dfe7dbef3b7c51afe71a5ca

SHA512
415f06de161d9e10c61ad827856950d01916fe6ef2e2a594d1f9c475d7b995f5968d9ba35d0110e9bf1aa7df7a223d6ad46d57bb6d4db277b061d3cbaa420e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abe5bf1f4a77966bbc91cdadde912209

SHA1
ee123740306d80ad4c83ee5e7b6c39272cfbd322

SHA256
9713732c8068e86e8121d1a3df7c6645d660bf3e4d2296a23a403da47cdae06b

SHA512
84372b58d37c666662d0814ded78298e7807471bb7325528a80d6841e4d5089849d061f8e333b753a8a057fdc3f058329fa373c08832a4bf7adebe2aab5439f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
10f5b64000466c1e6da25fb5a0115924

SHA1
cb253bacf2b087c4040eb3c6a192924234f68639

SHA256
d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b

SHA512
8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e46afa3fc278d2699c9e373c22fbcee0

SHA1
6593658be07114708bad42022b8c76824ee025d5

SHA256
70762d0321af64c03241158bbd83780cd96907e4854981dcaaba28f81ef62e0d

SHA512
9464e12fc96ebd5393fd462d6a548be8de085d0ce8b5c1827325ab4d967d5a41a95214fe8b212621baaf893e1ee4a96b569e28e5ad1f528bff9171403a77c33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
32548d71ad6f193d3ba604feab576646

SHA1
4bfe8122e4e23c1c41500ee9b71afdb118e10252

SHA256
b151b39ccbae2d15605afd416ab54ab900b0bcd3208da1e22d33737cd9fcef60

SHA512
90a861f76fc38ab5bf1fee56335ee713ab6deb9f98b47966031e3b81146c69cccb2c04a749e749b4a0faf64cdc9c9d7ba53d44ac7b16722cc8b45d06d088011b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd68b1a1cf5d943e524feee751b9f76b

SHA1
e04a3658843df29e35eeb0b4f62a7e0d3ad0d3c3

SHA256
d0b7511b251f5c947d616d9ab718abbb996ad2b2c0412227aa4e5a6479dcd299

SHA512
18a8cdc2e6eb8a2d64bcc29ec0dd7d2a07c56fc025f1a7f6315348a9a77854e22941b05b280d3c6a41cadd0262bf40550bc6c9468a8d866466a834ab4541098b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
537d820cb6925cc9636075e4e899e281

SHA1
2db22eaee48912fb25cae1d78c3abbe9a89b2c9f

SHA256
7941b22dd2312b553e2236843ecc720300fcda321da64c4d040708d2b8199b70

SHA512
031d480a1d1dc22b9d5d310c4118487ad1891b6fdc8d92ad210f064ef2a4b7415e491375c72bf137762bd1d8ec3ba8c4a46ae2fbf948dbd6dd501db3f09bd9a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
82c2feec3ec0f36ca29b3eb9cc9320db

SHA1
4d1685049454358cff17cad90ffa61dadf2ac715

SHA256
0ca4482b750b6087f5d3609ef4f2a84cdb3495a26275e62bcc28927ad66da6e1

SHA512
ad3aaa53155726636f95ca80b969f910f7ba5a15db3f9c6da0e7fa431a62ffa0833d22456b87ce0d89d484cb84f2b485e5b1e514801c13af14e8f731f3f0362d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70a63f05a1dc66064643635a5bc51e3a

SHA1
4df2ddbe5d52c8df3d66f4473f37731aa6c4f2c5

SHA256
b391fbabd4a3a5eb2d49a3485fc2604e09c23599fbe1849666822e82df1a05ee

SHA512
0921655e50abfac1f208cf03930ea3621dae9a2d61b4b6fc51cad9ed09e9c0e6aae902b361aae9886e2fcf1f0c2ee2e7907c3d3c69cfb97a08c45060b3b8b7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe65.TMP

Filesize
1KB

MD5
838017f0059f96d4bc8d20a7cc86c300

SHA1
bb1913994a1c238e3319290b053d301a13f5c464

SHA256
ea16f63d61d463a131b8f076dbcca9e72c9da3fb64656e6ca6cc7d5a3b7d7ce8

SHA512
dd9d53e6565940da1d25eb3559553281e1c286f6eb1fded11d44b5923cc075513af03b492e75336d829937998fd75beb422530f7ec102b2fdaa54bf6110caa77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22ac6944c9acd36d9b58cf446c188be6

SHA1
19b77b7fed835201efbb83ff03daaf615ed44dce

SHA256
4481e3d1959d94c4c62d0cd2d6a37d15da28c4da6465ab6c8a1c30a743d378b1

SHA512
3df27bf262ced395a53966ba0eb7835fb3e025a662246b366906ae3098fa0536dc447d559cc0f1c56f41143401d4a4be4ce68e6582532d8ee2ef58be574164ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
062a64890ae552beb158b91f27816094

SHA1
4f8f7c415c0580da1e36807cc41cc5aaaa624329

SHA256
ad3d7b0404ba38a8088b0ed6910a9ace2185525d753a615e880a1a8e9894c20e

SHA512
c787f538f101b8c3c84a5a55f665fc17b6201c5fdaecc2996fbf9e38bf0b22028e48bb6993e46e061ae5a75a69ca6434a81c6af37163800a3b05a39c7bedd037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7646d5b82dc0d83893c529ca8c80960d

SHA1
29597dc6710fec4e2ab6f23aee3f043b3a89ceb3

SHA256
5bc762b520133e2dbb6e6f61324d4e7e92d650086682740b7522ff9e45d50949

SHA512
d6c526b71ca1082667c73d589c64f27b1a1996ae19fb01dd06dfa739b068ae68aee2980896331e59c61af1436b3ba81da7fd04259ef9e7280c7eb84cf598a23e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e8a02c2dc05f58d5457eb6ed2f0d2b26

SHA1
b572a0a3031be65adb11af217f38fccdee953f41

SHA256
4120353040dd00cee62d74b7832c5c3b365387cbce53fc0f5a651479fb1e4ecd

SHA512
f355ab446ed96778f7ecf4e96341353d766a3090013dda101dce042a1ff446dbc4492bcb1240d30a43dfe431ace04412be46556d1e81fbcb134028bef68951ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0340e16903ac1a44796b2538d9a1d638

SHA1
2d71e81c43079ec7aca1d8e7984cb50976f092e0

SHA256
b9f330fe6b3973a7b67c0b8ee4a4aa7ac31e9b0d485dd5be582ec66096647579

SHA512
e252cd69a6cd9a76729c70053c5f5dcd7ef1834a120b3b26a87652aeac11897b2af3d7ca8bb92a7c196fa4d5f11cebbd6f86893c8889462f93fe38e2616bbb7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef3f7174d059951cd971c6c6a9644bc0

SHA1
7c5e75b170d16d3d813bad286523eaa187fba572

SHA256
ca83d96afecca73c742cd258c6ef34b4ae30beee4d09945573bf496e8e5a4b70

SHA512
2c18cbad6aeaf0bc027aacc05a84b82f6a2f95c3bf25d421981bddec6a9a9f7e0925533c30ba3ce11a4f15889906e76684e5d67e47833cfa4dc206904fc304be

Download Submit
C:\Users\Admin\Downloads\AdAvenger.zip

Filesize
5.4MB

MD5
dd0cd5436709146f9ded29cdab6f9847

SHA1
3edf49f80bb9c4a46ca9379e25c8366d94be7d0d

SHA256
d0607369ec47f863c1b6bf52527c54a5bbabb97736c22f46eb01c45864a68fdf

SHA512
253766a39558d4fe1c61274dbbc6e04631aecf2f1247bd9d3dce75b970e2628d0b0530dbb321ce8475a0e30e2aa2b970aa821a7f38920fc19d55c4765a129cbb

Download Submit
C:\Users\Admin\Downloads\SecurityScanner.zip

Filesize
2.2MB

MD5
d49202312c94a40ace73d0bc16c7d213

SHA1
82cc7b285f150e5a4f88b103bcd2d3b1e66ca6d9

SHA256
6b172714b9c3da500da1c92971c9a1c4a5a8742fdf5dd62bd1a5587740fefb22

SHA512
fc451e431efcdbeaaca725af97079df9e467adec3fdc4e3b75c9d80ee6810b6ec595c15f331dc339e7bf486656e5ef8e6a21478e48ab5038c7b04189a6a1f973

Download Submit
C:\Users\Admin\Downloads\SmartDefragmenter.zip

Filesize
376KB

MD5
541d8406002aa2750a2cf59480e71d94

SHA1
ac40c4715cca6967e2af789cee246b5a0d533a9f

SHA256
ddf1b79f563d94bb3ddb46b37aa010d95403dc7a1debfc9476a8ab449472b738

SHA512
9d3f5fd405be3a76b9d0150e58a2af24cd609a1b7b63bac9e68350a0b153a42bf4941c5d2d8d752ee5d9d6dcc690250811a9c688e2efcc458abef71580add73b

Download Submit
C:\Users\Admin\Downloads\VAV2008.zip

Filesize
765KB

MD5
b698aefa1322550e130867cbd69ce67b

SHA1
74c12404ed33cfd13b58606757f9ff0e06650c41

SHA256
a2247754d4305d00900da86b8957562696f80ae025c8d8eac27f38e4023e7f89

SHA512
b1242e7cd5506955d6d999213f98f16321cb866f7fc6a14ed9d11e1a8735c9b4632e9e8cb83073797b5ace91b963d57bbbb63ef8d3640c1048c962778834b5bb

Download Submit