5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe
Size

348KB
MD5

01b925b499a5bc1e9d7a2f93d8ac0c65
SHA1

d26e14bd928d6bcbbd67c482875bcfe6bf98ca2b
SHA256

5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc
SHA512

d2718cc7cb1cc26674f9c19807a9414450a45c4ab1b156722740e49263469ab5831c5386e2e7e71fdbf0509bd0962f80a730ead83ab63a1feb3fffb06075e863
SSDEEP

6144:ZeR7eammRd3K+q9KiocO2WTYqh8YE6ALJf9odH7MxbyElT43u:ZeRtBRXq9LocO2WTYqhjBMM73El4

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1440	difficultspecific.exe
5048	callcustomerpro.exe
4948	callcustomer.exe
3512	callcustomer.exe
664	calllcustomer.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	difficultspecific.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	callcustomerpro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 3512	4948	callcustomer.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2104	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
4880	msedge.exe
4880	msedge.exe
3848	identity_helper.exe
3848	identity_helper.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe
3512	callcustomer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	callcustomer.exe
Token: SeDebugPrivilege	664	calllcustomer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4236	768	NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe	85
PID 768 wrote to memory of 4236	768	NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe	85
PID 4236 wrote to memory of 4880	4236	cmd.exe	87
PID 4236 wrote to memory of 4880	4236	cmd.exe	87
PID 4880 wrote to memory of 3928	4880	msedge.exe	90
PID 4880 wrote to memory of 3928	4880	msedge.exe	90
PID 768 wrote to memory of 1440	768	NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe	91
PID 768 wrote to memory of 1440	768	NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe	91
PID 1440 wrote to memory of 5048	1440	difficultspecific.exe	92
PID 1440 wrote to memory of 5048	1440	difficultspecific.exe	92
PID 5048 wrote to memory of 4948	5048	callcustomerpro.exe	93
PID 5048 wrote to memory of 4948	5048	callcustomerpro.exe	93
PID 5048 wrote to memory of 4948	5048	callcustomerpro.exe	93
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 3812	4880	msedge.exe	94
PID 4880 wrote to memory of 2808	4880	msedge.exe	95
PID 4880 wrote to memory of 2808	4880	msedge.exe	95
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96
PID 4880 wrote to memory of 3184	4880	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dcexeexeexe_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c difficspec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2luJX1
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7c2646f8,0x7ffb7c264708,0x7ffb7c264718
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,286323827149338229,4237707431733097843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
      4⤵
      PID:3428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\difficultspecific.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\difficultspecific.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomerpro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomerpro.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3512
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=169471 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe" & exit
        6⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2104
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=169471 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe"
        7⤵
        
        PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\calllcustomer.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\calllcustomer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\146e33f1-0c9d-4e3f-add9-8c14417be67a.tmp

Filesize
10KB

MD5
5293c950762fa80cec68bd119f5ca68d

SHA1
bc1c257b4aa944274e92ff9f681f11b28e6ffbd9

SHA256
e4dccc0dbbf1154f649d5ee85c6d684c04a622b364bc79a721ef26543fa0f6f2

SHA512
b6d8f50b9f26b71e1137c659721be5104c633796ba1fa2189a6bc450eb657dbff6f731cbe038c35bf3b0bf2a7be3e348d22588dd808dfca5a24ac3bdf442d642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24b03dcc-124d-446d-adbb-a56047c2ba87.tmp

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4ced1e56-4549-4f67-9ee5-437ae1860c7e.tmp

Filesize
5KB

MD5
f188c275de215e353709d6725cd0775a

SHA1
fa81890bb25f9be2d1752cd7d38316b3eb79ed45

SHA256
28cb906dcd8634667cf972e5fbc4ddd9c0b09adf26375e98e7370f73261d64d9

SHA512
d4e5d0ccf2f1806d6985365046d098c97092c477400d578d8bb859899433d1bf4384826265521c81f256a2e04b4cae0b0f444cbf5e66ad0b2e4c1bc907db3981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
fe06c90761d116802479f7a9b9da91a3

SHA1
137c7f12ed86914b5c42ac9c8cbb70f522c7c7f8

SHA256
89d891d819e85ec872306573a2fa131923bf16dd396e53304a4a0a2904309109

SHA512
dc253493d1d1e221ccd0d77789fa46e63351ddfad55046f1f25751816cfda9e8e6ecd7490f1483afc45843013a5f7d8b27c87cc9112c842719425bec61c5be01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
021b81b867c99e3cadf8cda5b98f2a06

SHA1
d95df1d187fdfeb9e0aba0d5f4d20a7edd412d70

SHA256
f6d6ee145dc85815d96c61eec6099abbd46bd93a4904db7da506cd8eb68e96b9

SHA512
0a0b31ba475fcef9cdd374760e95c7d9e9831d6d7a31b1f63672f56810cb466df06ce29ba612095867111a2a1160d122d60b6b0179dce899bcc3eb61c735f6b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
a464e043f4669151935ffbcd1f029b97

SHA1
2266eaac09bb1a081d86a25f7d26d8e02362e56e

SHA256
d923964f640f73d3f0ad28aa0196a34f8168ad826bee78cdb18b18bdb2a6a942

SHA512
80e1e8747f42039f76aa2ddfe702295f2099659543a400e4ec76630c48ec975dc208d84d3b39a81ef8ba8fdd937dffc19ec17d8b425d2a68952d64cc54c695c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c3321d22c862e242c0de4da4be2eff05

SHA1
726cada9146ba09e7f704586867df8f84fa193af

SHA256
30ba21723a86a65a11b6c99ea0330a8327dd5fa93b6ae742accb1b744e3e3a7d

SHA512
a034c790377db180d0f04547f2c15cb4749d18f1974351271d81667a1e4191be7af8a6f590e3855bca2f57f8cdb5adcca64c0c94f084e7090c8395ce9b3b63b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90c5645e6887ea1920dda7ac517e119f

SHA1
184793ea5120dc1e332754fc3f99998353b7f0ff

SHA256
a383eaef9c6261c28d3eab3746dd14fe03d95bfaa08a4047991991e9b19ae442

SHA512
aa815e73b093e57d01ad827b8a8ac4c232e8b162ba4428e3d5a6f39d1119a82bd58c8403646d7ac7c1c65777ec74fd96eeb5803bae990036bac4ffe941a238bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5ae3cf52ade16e230460916920a865a

SHA1
fe89ba755bba3cae9e8fbd60c03d05608b1d0f5d

SHA256
aa60c55d1294b81ee861a7547f78d2fa02be202a6e314514148c9861d8139ccb

SHA512
62c30b73e1797301876356e237629fda69ba4ca233417666106082bdd35c4c25df193c0db0e888eb5293dbccda3dfffd5653dbedf059ccb9215517d0d436a078

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\difficspec.bat

Filesize
44B

MD5
1008f540d99464004e9ba59b516db7f0

SHA1
c6f54b19054556d3a1cca9c0fc5463cc31017da3

SHA256
1e931f7e7c50c959e8742c51f9a10ef9819c0275f640a9c7b416120acbbd7326

SHA512
151d6be89ca23148fe16b540e3a788e652fc3ee8ed5922149b1dab7b09c09e64fe6fbe20246c7e9f40f896e21311b1a29f43ec468e2a3a46a41ad4314f4fb3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\difficultspecific.exe

Filesize
287KB

MD5
30f9d03c2de3388b83b1dcf015ccc348

SHA1
c97fa70c6ec11ff884be979fd098e880f3ea7bbf

SHA256
1f0f49b6749d7d6244c12f265cce52cf8f53e0c3e57d7bab1f42a9ff26042928

SHA512
47e89747a387ef16e098a5d9244918b4c6b49e07f7e56dcd75e4d38ca32d23c1786110f60d7c35d100795bc67b023ffeda207f692c3ca90fac3d60a9b6b6c384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomerpro.exe

Filesize
211KB

MD5
71ba05d6ef82d8a9069cc1c3dc730dce

SHA1
8ae2e3f831ae81baaddf6df39467dfc1d1516de3

SHA256
c1994a34c0a601020436acc1765b0f1486a6ed0de3e8962cfa2fbd72cdcdd497

SHA512
b1da8e249b472c47ec9df0b979937b620c78fdd7556933dc29b7316b3ce9dd8840f00d385e09219ba50b6902fc82413bd6f17e8f6e59d5a02a888a151bc104e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe

Filesize
165KB

MD5
d7f4dc34d195688caec8c3a5b1517f5e

SHA1
df0f8f83879c2fbf5afa1948c20e4c56864f8b90

SHA256
cb387bae0f6159b3a7b95e80df34c2d9480cd52d15e3b606a9bdb7072a759883

SHA512
bf57c6014a8c4784a2edbfb216edb90415894e1edf69c07ce297aabe2836ff3ebf3586671a41995416668442adc680da195ef85adeb95dd96fd7edd058592aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe

Filesize
165KB

MD5
d7f4dc34d195688caec8c3a5b1517f5e

SHA1
df0f8f83879c2fbf5afa1948c20e4c56864f8b90

SHA256
cb387bae0f6159b3a7b95e80df34c2d9480cd52d15e3b606a9bdb7072a759883

SHA512
bf57c6014a8c4784a2edbfb216edb90415894e1edf69c07ce297aabe2836ff3ebf3586671a41995416668442adc680da195ef85adeb95dd96fd7edd058592aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\callcustomer.exe

Filesize
165KB

MD5
d7f4dc34d195688caec8c3a5b1517f5e

SHA1
df0f8f83879c2fbf5afa1948c20e4c56864f8b90

SHA256
cb387bae0f6159b3a7b95e80df34c2d9480cd52d15e3b606a9bdb7072a759883

SHA512
bf57c6014a8c4784a2edbfb216edb90415894e1edf69c07ce297aabe2836ff3ebf3586671a41995416668442adc680da195ef85adeb95dd96fd7edd058592aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\calllcustomer.exe

Filesize
165KB

MD5
c74182bb7ed5cfe722c5c271483045ca

SHA1
0197005e6b1d2c7230eda51d16b11cbd756eb6b9

SHA256
1613e7fa2ed812973269d51d6d73278d51a39c10a51b2f688ab5d4878b053fba

SHA512
33757722210951fa19ab957ac0436f707ab3e10d21f8be2e3c27be5b21da0bdfd9dfe45b3d520b8257bcd3ac9276c797e2b83d426132dae05a93b9dd46cab460

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\calllcustomer.exe

Filesize
165KB

MD5
c74182bb7ed5cfe722c5c271483045ca

SHA1
0197005e6b1d2c7230eda51d16b11cbd756eb6b9

SHA256
1613e7fa2ed812973269d51d6d73278d51a39c10a51b2f688ab5d4878b053fba

SHA512
33757722210951fa19ab957ac0436f707ab3e10d21f8be2e3c27be5b21da0bdfd9dfe45b3d520b8257bcd3ac9276c797e2b83d426132dae05a93b9dd46cab460

Download Submit
memory/664-164-0x0000015EEAC30000-0x0000015EEAD36000-memory.dmp

Filesize
1.0MB

Download
memory/664-163-0x0000015ED2300000-0x0000015ED2310000-memory.dmp

Filesize
64KB

Download
memory/664-162-0x00007FFB77AF0000-0x00007FFB785B1000-memory.dmp

Filesize
10.8MB

Download
memory/664-167-0x00007FFB77AF0000-0x00007FFB785B1000-memory.dmp

Filesize
10.8MB

Download
memory/664-169-0x0000015ED2300000-0x0000015ED2310000-memory.dmp

Filesize
64KB

Download
memory/664-161-0x0000015ED05B0000-0x0000015ED05E0000-memory.dmp

Filesize
192KB

Download
memory/664-165-0x0000015EEAD80000-0x0000015EEAE76000-memory.dmp

Filesize
984KB

Download
memory/3512-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3512-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3512-173-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3512-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3512-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3512-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4948-65-0x0000000005BE0000-0x0000000005C64000-memory.dmp

Filesize
528KB

Download
memory/4948-156-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-150-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/4948-133-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4948-113-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-72-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/4948-71-0x0000000005C80000-0x0000000005CF2000-memory.dmp

Filesize
456KB

Download
memory/4948-39-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4948-30-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/4948-31-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download