hxxps://www[.]dropbox[.]com/scl/fi/66dhj6k0x9m1fmuryy43c/PAT-TANK-INC-revised-Proposal-5579-[.][.]pdf?rlkey=7kv6bkcoaqly1osxopz5gt5v8&dl=0

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/66dhj6k0x9m1fmuryy43c/PAT-TANK-INC-revised-Proposal-5579-..pdf?rlkey=7kv6bkcoaqly1osxopz5gt5v8&dl=0

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{F9164A22-F976-4B43-AB30-4909A434E1E2}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
1176	msedge.exe
1176	msedge.exe
4344	msedge.exe
4344	msedge.exe
4908	msedge.exe
1328	identity_helper.exe
1328	identity_helper.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe
1728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4772	1176	msedge.exe	42
PID 1176 wrote to memory of 4772	1176	msedge.exe	42
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 1492	1176	msedge.exe	89
PID 1176 wrote to memory of 2120	1176	msedge.exe	88
PID 1176 wrote to memory of 2120	1176	msedge.exe	88
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90
PID 1176 wrote to memory of 2244	1176	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fi/66dhj6k0x9m1fmuryy43c/PAT-TANK-INC-revised-Proposal-5579-..pdf?rlkey=7kv6bkcoaqly1osxopz5gt5v8&dl=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5cf846f8,0x7fff5cf84708,0x7fff5cf84718
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17637246813284014695,7646249541680976995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3d0502d2-733c-4f3a-8d56-7986ec79f00b.tmp

Filesize
1KB

MD5
6dc076529fd4aa6f2f48034874545af5

SHA1
60a109c3990547ff8853535c19c1e2fe1f60b4e5

SHA256
c35a3c1870c140cd8990013eec28336ac98f99d48d9904eb289e8a46c8d804f1

SHA512
f969016f65cb75e590836c5aa0614cf8af1e0fc9c24ef962e197eb52a239a3dc124bc7b85f3fdf91779e764d3c62342a9e10f41a2d1096ae07f85fb902dff39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2052d784eb65a4779187cbff53d54bd

SHA1
529ee7097d8eba6847f673617259374441c9ab2e

SHA256
e1979db884a7b191f806952ae6a07d2e7b5e6d83bc9f016a436d08ebeb119b25

SHA512
e94ca2247287f7faa1229277bc67fc1d7a4d99c1721462d7a78c229377313d32e571e418e9c792e2a109316de476b0800124919cdb3445717be8fd2d5ad7e9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a0340a396a8a520e49c5d9d3d2673b8e

SHA1
d7eaa123c7fd208b14fc347ffcec59aaa32b3551

SHA256
4662dc3159d0c0a64cd3becebef7a4fac73b0eab3e20d43af87dd071e66b5f5c

SHA512
d21614d852d383869c9cd542357d3100d086ef605bfc3e010378f0f0bcd3848e0b135664588489fe3d11d59c6ffec52a66be24593b0d4319588bbd71a4e538fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
956ac6f68b0b995259ad6f7133d19f4e

SHA1
a4586675ce12dd1c402eb55c3f99c3dfcd5fd74c

SHA256
9cf1a4d3f86a0ce6becf1888c452fadf124c7dfac29cc2f291e99a053f236e4b

SHA512
c43cc5e546aa6acb17c220cf5df9d494fc07f616d36fc7f30e593ad312ba19e5109cba19a7c38b50f195e36d336426c4a1b6643ac423f05b24fe15d7fc02bc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6a92785b283a7eb88cbaffd09b9b38c

SHA1
b933b187ce48d0bbf4934a8e8c83a43c5d30da57

SHA256
b68a1913075891f4226fbd8c4b4f783e691014a112d44fa3da0c51a8c0155acd

SHA512
8737786af6fae1d034a27f48e0c1cd722eda1935c1140e42a7b3b4c08613e69db87b346792317682f76328f9d69d5996333fdbf90a95038d4a467bab7a73dacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f9080266307be6ef375f253e00873a76

SHA1
88787bf5113a826eb92e9f8143db947e2efb9308

SHA256
d7f9d80456f16de545cae5d777035452ff367602a5b2521a7565e8a679006a0f

SHA512
e527edd356c40d688f667a5dd9a9378401698e06318c8330ffc9aceb54c28ad26bd6d67ed116365f1765e2cdb2a154d659767d721728ff6b760c43e0d48f29c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6931bf575042cc7953118e465460ffd9

SHA1
da095ccaa445d6ceb53caa0015ef088bd96fea5f

SHA256
3beaf085e740ef410c2b8717ce3b20cf2f7b5f04b580dd7bbe584fcd798e2e7f

SHA512
7fee60e8754bfddeb7f66a6ce0a0a23de11086bd1a24644d935cb769f603bfc5aab170b179929933e9ffc9139a3667c52db01d7a90dbb72af60184f34b30b7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2977110855d34becf79cea0d8a4dc36

SHA1
16a56048ec154d3df8ea1a258dc2489120bde44d

SHA256
aa7b2093c724c1ed6faf0be47730884ab87feb0d61d1d39e22dc5d6379913d5b

SHA512
5d69858219f6b4eaeec55238485dc438041458ba3bf781824ff1f1868144a04f264ca83d540194212dfe1b736267c442803cb31a43e352a450d8a6c948361c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83e8ac61d82defe0e2a6ad446954ba37

SHA1
ee9a514cc2097303663d0aee008fd6447f067359

SHA256
f35ad661f166a50416d85c76bedcdd2da6e522a0a6c83316cec47a5d8d18389d

SHA512
eef39f61cc2d7f6ca6822f89b1ab7b139b76478ce8b1bf3db780971db02c2aca82a988ac7c22bfa38ecf86880967b0364dc5030b720cb8799d748382e9881a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a925011e6bbe4fca36858726716caf0f

SHA1
660cb2c1ffc46a42b6818b48b3878bcbe5f81cde

SHA256
c97c6af68307db3c383ff60d218781014d5b863de3875aebfff414ed1a59c59a

SHA512
b0c593eb652559edc5323492319c8465e887d4982e369172bd39574a336c87f990af64f6daddecde1b2a2f53ee0514f0e4770a917eaf68498e904648c1f204c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
d6b8ef7a0c5eb946606c3720c927cb3d

SHA1
2dd7d81c0a8ccb48ac9129193146d7144a1bd250

SHA256
d34d54686101e42044bdb13fb8932a23dd80cdf0f866d15edb6a962c185012c6

SHA512
1c2e2ce77e0a7ab65220e54a9da20f72d1faefa451b17c9952d414078b2cd96d571836f26e2a71f5348d12d22d41f375675fa6d22405995bb69e2959f7283d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dab6cbd0c657d49cd71a477e62511706

SHA1
bca5a2cd8db145a653b9471a2eda6353b8bde1a0

SHA256
07d30eba0d3267f47358fce57e00b8f27a4c8316d29d84a8c7c1399a64d5bab2

SHA512
a9c61889fd4b89c4b57a77b99ced42956ed7202fb9c1940af3ddb5554c7b528e0275e264f84d776102561ea754c48e1128ddfc6a240fdb51e95f27e86239343a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
f0a4e796312be7a50ad589cd510144bd

SHA1
ab553acbbe479fa7114f792f11ac790978e4b0eb

SHA256
702fbeb34c8c63e4ca9860363374293fac140a93918ac097727afc66728cd770

SHA512
b0dc93d4341725f7c8ae3b7b52fa4c83cf84b645f545c7ae539b8cdc76925cfd25ab8bba8cfb527e66038df6b11134ec26a0eae6d621c6af0f76c433ca5ec306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
285bce2f1a4622ed486ebd339de33382

SHA1
cff85299903969307bcd8a6e9becfe5ff368c411

SHA256
860466758192e5a3ee953f27529346d30d830b9e22b83501961537c59fc74927

SHA512
f56ff99e70d2fefcb272fda2bf950755b2bcbdb83e3ac8cf5b359cffaa5fdbf5f79c0053bbd60d7a727b572cc765a90f68bf410bf7a7440dbe819e72e2cc4550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b1a9fbc7a3eb63f858e9102982c82d6f

SHA1
ebde013fc89c8c519e13b024e5e2d40381b8ed0e

SHA256
9c34b83a75cbc1f799f5ee28a05a15454a7d5f123930fbbbb913ade7776beb38

SHA512
cc1181dae63600810ea32e7cf6f61a5dcfa4656764f77dbfd3d7e3c0ffeb10aa4bcb7dfda4247935614794a967804afbabdf940b4e08dc09a98a85f80bae5755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582fc5.TMP

Filesize
704B

MD5
3e415fc91f49ecb803980b426510ec2f

SHA1
61e38f67f9f1a5cdb10984092635a70b78403126

SHA256
f1e57c999841bdaaa44eecbe971def827c5ac91a78e084865160db2698e76de6

SHA512
0930b058c1da40d6e2a7c7edb8336546f1cfa661c5582dadf3179fba8eb411d44fd79de96e1cba44a78af576714514f98ae34d56a3f9a9f639f2c7b4a92f1f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07f45ab5bdac2e76692ef3ada5cdbf64

SHA1
3960e8eb1d778ac9b6d0713cc18bdf394497d8cb

SHA256
57a9864a57a4426a390b4e87bf4c3f48efeb9635f2459fbc1e7f8dae7d07a055

SHA512
d01cdd83dbd2ffd45f5fbd6dae7c67d74ee8182d0d9bf0c9fb11c1b86b6076c5d1dd8f6dfea49b0920f197fa936c098809023ebe70942e21f4a515b9172bf98f

Download Submit