c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16

Analysis

max time kernel
153s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe
Size

3.0MB
MD5

baea31c4a9ef6762e07787f12d53bb94
SHA1

506040153931e550a1aec358406ed530564a0946
SHA256

c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16
SHA512

563678b1f311de0bbf188abe8a88acbeb90000dfe7e21653bfd279e270aafef4ae7a4bd74e91d7a3f19f7eef7d00021e0da47e57c841eddc1f4d50f2b1f6c6c1
SSDEEP

49152:lBd0aGWaHwq35VUgajuKIlnsF0+MKATK8v83HwAZ9EW+9pTqq3:lMWuwq37axOnsFPGKB4WYTF3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe
4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe
4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
3796	msedge.exe
3796	msedge.exe
4468	msedge.exe
4468	msedge.exe
2692	identity_helper.exe
2692	identity_helper.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe
4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2184	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	87
PID 4192 wrote to memory of 2184	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	87
PID 4192 wrote to memory of 2184	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	87
PID 4192 wrote to memory of 5008	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	88
PID 4192 wrote to memory of 5008	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	88
PID 4192 wrote to memory of 5008	4192	c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe	88
PID 5008 wrote to memory of 2552	5008	rundll32.exe	91
PID 5008 wrote to memory of 2552	5008	rundll32.exe	91
PID 2184 wrote to memory of 4648	2184	rundll32.exe	90
PID 2184 wrote to memory of 4648	2184	rundll32.exe	90
PID 4648 wrote to memory of 1276	4648	msedge.exe	92
PID 4648 wrote to memory of 1276	4648	msedge.exe	92
PID 2552 wrote to memory of 3764	2552	msedge.exe	93
PID 2552 wrote to memory of 3764	2552	msedge.exe	93
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 748	2552	msedge.exe	96
PID 2552 wrote to memory of 3796	2552	msedge.exe	97
PID 2552 wrote to memory of 3796	2552	msedge.exe	97
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98
PID 2552 wrote to memory of 4560	2552	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe
"C:\Users\Admin\AppData\Local\Temp\c2de33952f28c3c8dffca9df505e6b0817e4ecdcb28357f1a6acfa6c572c2d16.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler http://97wg.taobao.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://97wg.taobao.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b3ca46f8,0x7ff9b3ca4708,0x7ff9b3ca4718
      4⤵
      PID:1276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13602614900242901617,13328889274907708696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13602614900242901617,13328889274907708696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:2544
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler http://88888888wg.taobao.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://88888888wg.taobao.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b3ca46f8,0x7ff9b3ca4708,0x7ff9b3ca4718
      4⤵
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
      4⤵
      PID:3220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
      4⤵
      PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14431214976698507498,17674592224854846123,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6028 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0987267c265b2de204ac19d29250d6cd

SHA1
247b7b1e917d9ad2aa903a497758ae75ae145692

SHA256
474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264

SHA512
3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d14a0ad-742a-4154-8e85-503682a60b5d.tmp

Filesize
5KB

MD5
c461620731833055905d950634f3624f

SHA1
670023829e317ccb2f36b31ae8861c48cab4dfcf

SHA256
5ffd8e836a8b2d39630dcfb8feb52f2796a2127a4b0142ca499a3a154a2250c9

SHA512
7b0de2cca19cb2977e0b8288f2f2b1e614fb4e1e3fb0d93a43b145f520ad1006669a7e6ada16808cd64a4c71470c5f07f5165e5bf7652ad2a42adc67f9da2f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
0614da0ee4cc4e57ee751ef1a9f4fa20

SHA1
6debe4490a5e9066466fae43a066e8172f13d61d

SHA256
d2758fdc40ef0c4feee9a2b95f79d938ea0ea57fbd5fa740b9f1bdf72ec3cc9c

SHA512
bcce19839fb1380a24b6d94deb4451fd1c404344df9789887625550b366feeba15e372adddc3a537323c54de4fed29fcffe01660e3aa567124b988ad31e3a940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
268df0ddad647585965d6d4b086640eb

SHA1
4d829b2a55684381cc346dbfc7c7c495b3c0722a

SHA256
3b2f66d6b29bdaa9d7fdcdad5ffed0d4e39f8d8a1f0bfa4827a7ea4e1781add9

SHA512
7255e0233b794d9718ed241fa0349ab4a050f014320278e7e2cd8c9e10e07149e8a9359d1fa92e3212983e18e308b640819f064833daf5fa069bd4644117d30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8712b2c8679569b01432b8fb61a314f

SHA1
212652667508a6df916f7fe930c1c1ac86dd5ca5

SHA256
c99325e9ec268dcd32a2960c1bd88079bcca7c2c74965654ed09f5620d01bb91

SHA512
4465f92410720652a7ab18b9efeaf979d464d9a1266a7661ae4e3c0097ea1b0eb4ff2dc4e8bf6c3c5c75769101df7c682009330f07ad923fd0ccb8df36e631f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e60754124d1680dee8447c871243518a

SHA1
9b43b16eb94aea3e6e8dd17750e644e454795373

SHA256
178b5619dd1dd1cae108120b5892d794f7d1f4a290a68a1719a50423cd389be7

SHA512
211a6f171508ea2490d3ede78ce6331b30f9d9e6de7a39ab152c866d7d09a020eee3f7186ad3f14dfde656567cc7163091269b451b6e094a52a64698e7a09352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c5eee7c220f05e6eea57d5b10de884c

SHA1
ff13ab62c32d438187f5e6a1fdc942999836c5c1

SHA256
6ebc62c684911bc0325ee367e3364ea37bc29252aa77240f54ae01cfce6e4e3c

SHA512
0319b359277a4b526a039f02d3f89e879e9e9366b9b1f4cffc6f911289813a15420592cff2ec281784eab16056885a6449ea5d7ba091c3925fb42036e1162457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
bfb34316fb3f8374531f6ef14c7f2cdd

SHA1
0ab58f8680aaa53ff59ae17c32e8a6a2f831a3ba

SHA256
e62e3b7e68c0cc77d0890d0bc6f1f8fc9f3e19e951c5ee586f6d1cb6b56f2288

SHA512
b08d13c48660f1349c080590cabce460cf780f750ae7a87a2ad02aa2faf175be99319c9c6fab84b453c7243349cfd85a680030bbe71e8f0641f33bdac14bd9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
0d6048e43c121b84e28d15a64bd3f9ef

SHA1
6663625fe5abc9f012effdbb0de7829b08f53dee

SHA256
f25e2a3eed7f251a81e0604b65eb69d4bdcf8fc8342919618d6ad22128691ce2

SHA512
c8d52d1ba98048bc407964a66747c1f3270134fd38bae9a6efddc27ec7584ff903863fef88ebb58b96fe8f1897fb164d9e5d20ca8f46d287d0f90418566bfaa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ca42c529b3314aeb46d614c96d773a3

SHA1
07d4557598d20158a62175aac4000582b2ace5e7

SHA256
e033fa7317a17afd22a277c7c911508196d4ae9d39f5d70caa7478e93f8ef5f9

SHA512
5a2a61da1f85b5433b0614fd6d33655009e60109ac1f90b26956ac22fa73bad765a9bfb0290c368d3375f55ca418f9d6ad4c4294d82038708c26fdce7588fc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a39e.TMP

Filesize
372B

MD5
502b7e70bc44b10fa0cb0033dcdc3cf6

SHA1
38fd9603b2e20e2858b2c165a4f53cfc516a4549

SHA256
cdcf4b63ad6b3e5d8ba4c3d2b10064d1513990758ed4d10cd974e7bc191fb049

SHA512
08afa78ff4098bf432473c579f9f6a7429d04d7be4c1bab40afbc09ffa60a49a02bfae7175d5a678110e929f8207e917f2536892e5145fa8fe73f872a3ebf443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4b9e500ac10d326581b19f5a5b6d5839

SHA1
e6d10762edd3ef1b61815613d38140261307110b

SHA256
015018b31a4221ea3867eebc359cffbf243c1913abcc7a1bdad8861dd3c7c85e

SHA512
b33b4a5d1d240e69d8c21034ae8e856e4a2b570cc31295dc835f7d925fb3bf2b3bf57bd091b7242188a3ab837171e3a2e0046d50ca3da43b0354e6ffb864d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e62122f2604790e3f059afd2fd26cf8

SHA1
629c02ef1d236ef75a1364eeaac0775879414119

SHA256
3cac92b011331eca3096b341117436b4bf1d47f0fb67ac587589a0b35a7f464a

SHA512
8c5dc4ee3ba1e8ab8c9904a36b92298736887044949d13dbf6ef33085ea03ef184746eb6db18ee7642c4d45eacb4fd402a1e5ea6beb357268920368f9645d29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4b9e500ac10d326581b19f5a5b6d5839

SHA1
e6d10762edd3ef1b61815613d38140261307110b

SHA256
015018b31a4221ea3867eebc359cffbf243c1913abcc7a1bdad8861dd3c7c85e

SHA512
b33b4a5d1d240e69d8c21034ae8e856e4a2b570cc31295dc835f7d925fb3bf2b3bf57bd091b7242188a3ab837171e3a2e0046d50ca3da43b0354e6ffb864d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e15c86d43b5e170c940f220af2481d2b

SHA1
445fa79835109a119857c16fa4680dcb5432e2e7

SHA256
6d4a67a4b80b896e542cbeeab075ff886a6a46da0617a2597990dced2bccebed

SHA512
11db8b081fa43baf673d9ddae6d99b1ada29e436005394b7d41b9a0c44333967805b5272b306c1a940893a49379bece692a56a251edc79c4b3d422c75089e903

Download Submit
memory/4192-0-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-4-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-3-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-5-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-32-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-2-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/4192-296-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download
memory/4192-1-0x0000000000400000-0x0000000000984000-memory.dmp

Filesize
5.5MB

Download