68db1b865c59f114418ff7118c4ef49fd9d2b96bcf113a6095fa61122011dd5f

Analysis

max time kernel
390s
max time network
398s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 18:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

test111.jar
Size

639KB
MD5

9a70270306ba42d4d2fe833a92980490
SHA1

17d31384413cd3d38697cd20a72b049924e7330f
SHA256

68db1b865c59f114418ff7118c4ef49fd9d2b96bcf113a6095fa61122011dd5f
SHA512

7a76dd39da2692ff8d0ac640818925774676967bae5faee4fd4e8183b9111969d1cb4a9e2173fd6516a3134b2f9bf6d860872371476cffec11410f46cac30aba
SSDEEP

12288:S/vFQx/PPNIHV4lBIdQLgW/rRD+BzwNanOgKxqRxA3cu82p8SOVDME:S/NQhNI143bLgWleman34xcuBp/OVDME

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1816	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{AA0F2F26-ED42-4803-8CCC-00F748A8562A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
3120	msedge.exe
3120	msedge.exe
2128	identity_helper.exe
2128	identity_helper.exe
2024	msedge.exe
2024	msedge.exe
5712	msedge.exe
5712	msedge.exe
5712	msedge.exe
5712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1552	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1816	1552	java.exe	94
PID 1552 wrote to memory of 1816	1552	java.exe	94
PID 116 wrote to memory of 3208	116	msedge.exe	106
PID 116 wrote to memory of 3208	116	msedge.exe	106
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 4296	116	msedge.exe	107
PID 116 wrote to memory of 3120	116	msedge.exe	108
PID 116 wrote to memory of 3120	116	msedge.exe	108
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109
PID 116 wrote to memory of 548	116	msedge.exe	109

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\test111.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd366346f8,0x7ffd36634708,0x7ffd36634718
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3476 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8513604489715295119,16171354188758582809,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
0de5b1c13258f99c88dd8e87e588d3ec

SHA1
ca0fb9a46b4cf549b9e75d006d73724f628bf519

SHA256
988991229937cce5371c3f85ade489029d55a84d6ca57363a9b480e6b86e0751

SHA512
07fd894198575683b517206f5f8927d55fcf0024c0d42a47acf2677b75564206efa0614130c2a3447dac3a030afb5ba2d7c4038223a20b4d7659e6f2a11fd9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
80KB

MD5
13b0f12f128057766756d799c40e6436

SHA1
77df18f072ecf9b6e3ecdf88c8c7e2a6f6d37337

SHA256
f3db57ed3e759a47fcb1bba268befae86afe0895a7c5b062c3b27818bef32396

SHA512
3008dfe150a01d2f6a22f027026f018f6866da944a98e30e8586c7c78f24d88f7746a23d247f26aed5aa115630146d63e318acefb4836f41a59459e7e575e2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4c1c4d826e27cc9a3a5e46274547c649

SHA1
3e3230b155ca6c469b2c5810eab1eb74dfeb3e85

SHA256
27a276224d70489fea9915666afc006313396781ab634243eb6dd605e7a7cca6

SHA512
992d753a4d6aa23eb9b4f67766c6d67b4ef0818b1816470dd76ac74f50debb8facc257f8ff5416945d42361f5cf6a48c7e8414435fe1e1daf9e353a4f75b363c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6971893f65a01881ea271c60105d16e8

SHA1
5bbd6203947b1f2f4c1d59054bf7d345040c7fa3

SHA256
544597a40bdb1952a0de79b54d2c6aea06e433bad2e922015f6e87c08fcd1aa9

SHA512
4d80c9505f8def8930a5125c6c519fc0af85ec94f87b43d7fdb5d0214af2163786cfd64b129bde78be9ba52df6d0a851ad79d282b6dc525350325e93ebb1ee38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
87b8bdbc29887cc496c2055be7621fbf

SHA1
972e7d1290e41391289f7a814586a17255ca963e

SHA256
7a597a55819635286f4a0f9f42c2191f93fe346e57924a42d3d990db3b27056b

SHA512
89a02bba3c77d8f941499896a81fe045e6ce67a9763b519c1e791960d78577b29ab3f8da989fb5729f8a992b687d07b2a647694c9e019597fa2c84a4a5afddc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
009970d0dfcba732452fdccfae85a7b8

SHA1
7abc8fa01dd75ffbb68940f20558ceddc21a842e

SHA256
8bab15d90da5e1a83f90d11367e2619a0d9a2b132989e66eebf56032f7e09f14

SHA512
a45986d61387f1c060e0d398bc043773145a98d047f3afba743ccbc125df1b98ceb55990f02cb9b44c01833a385b8963f869f92543979eb27be34c351524eadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
14b9a4104cbe3f05833d272f4f8ddc4d

SHA1
884fc1406f7535830f9185dfd6c581a68c7c3445

SHA256
1049055054fc9767bb679b3d48d35ad424f9fce870c0b353e4f16da4eab2ba9f

SHA512
6d1dec7876bfaeffa3f256ac45c3663f7fe51eb30e0b723aca68b50f1f7dd66a9b6d451d1c3dc5f5b4edf357eff4a8cf437bec7a8fe218d6ee5219ff73740311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c77f2a02168f0e2f7d62408d6c9884f5

SHA1
597c1dbccb3fa4d097f41824727869c96a2240e1

SHA256
61a2c485f9831f1b5d62030dbd2299c2e30d1e65925756ed3637b22f32d96774

SHA512
c9ace14c7129fa31bc280a529bb48e20a91b7bf64cdc8aabfa10b9a1ad24a7d71ade8062024de3f6293ef4e19fdca313c799e1e8c729c7800e6fb46074b4c2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d38978d192d1109104e0852a1426756c

SHA1
3fada14b3d251458b201cb748d80e9c4be8aa68d

SHA256
572477492d59b68c70fd59f898a7c435967a41792df152e353ae5fb857b4c0a5

SHA512
fe2c0faa4b75843dc6be3f98837b5c533bd9599b9ded5115d35e20dbbe680d61a14de6ee8445643c8c7a9532b96d21948d13a26b2e22e059903096919cb86d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fa8cf29f4cfd73f6ed91e73ea765eb74

SHA1
198552578e1994a47067676de90462672902a277

SHA256
5061a6f6be962289a6fd99e86c539e2d0a22ef5132fc394a1de48077c2fae47f

SHA512
32962ae4b0c6281895d9ece18abfab1d2ca0ccf19342dfac98226f8912a8eaa84edf86b1ab2bdf9f273a77ccc43d3b54b6755c0413c53fb77421903352b09e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
80e48298dd37d785be0cdab242ed0bb2

SHA1
6325eb8c7ba270826c5b44ecfabf81ff1e8a2732

SHA256
0009b513f81e92ec63f45ce03bd2583705aab5dcbe5f1fd7d53310ee3234b3d0

SHA512
2f08ca15b01f6dacee953ab8bf831ef8d6466afa25c78269b2063a567d9e6d9befeb2ccbb49273631ed6e3336c3d2bf4f9c0e91d2146e34fb5582003c2260d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0d477087a408c396db6d1beed1ca17d

SHA1
5299e0c73990b7c446e71a6a26859388f1ff515e

SHA256
c07df1ea9956c316f9f032d7f13afc5630dc9d2eabee7c06f4c6b24c74c2f018

SHA512
7a2a7ebcef5717b652ce9f4ff9050c9d7ce1a72f84bb15067d401a8b44745461c3f041ea3b2b464d46080d4bbc534c13353e92e535354ef19a4155a74ef98e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c8f2958510522495f566e5e82ce5f5e

SHA1
4584aeafc77180a668fde8a23a419a66ca074088

SHA256
87c1526adcd4bc560d3736e2b3294fc07b41422242ebc28da3b280f5f07169eb

SHA512
e2d7212a23acb9e6b537ce419e251dac430a737c5acf1a688dbc2b2893b47393897e5c4864e1d8626021dcf652c92997674d804d5986250c72feed7ef60709c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ab5692e0dde143457eca72f7e887a68e

SHA1
27b3013b0ef714e31b636c7ef90f082b95677dca

SHA256
a45e571136a9022d1827078ba0d51c7285b7984a1194ebf48bda8af58d979d4e

SHA512
9cb2a6ed3053f5812282566b16ad36ab817cf046bc843708e724b53c099e60a8847c1e432df61dd0e86eb144cf8bd7f4475828db2884b6803686403e75054952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
20d876b9dc777e942557d5f2e3c56d3f

SHA1
b3e15c34083e059d06e07213925f8cd5cac8cbed

SHA256
8ad2baa204f1e8552423b99d049ec647e01ad271171aba783a4bd08567304416

SHA512
12e502288b34caf55b6e2a271a41e73788a3f173dbd153757c0b154d76ddaf47f8ebf24cb7edd503edac46bff18ae5aedfee994279c2135a9845da237545b629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e930fb2461bb399a03dba95326fecb81

SHA1
2569144ff7f87dab800aed6fa32daf6fd420b10a

SHA256
8eb582170523cf464105f11a58cf284d1f77501fdd833028984ff2d3fad0cc1a

SHA512
83fdb064aa3aacdc5203649f25f5d4985e03f112eac827ab86a1fd927fbc9ae6e293c6bb9b45bb18915305b78b205f2522a1b0fe46432ce3b40b29ed62175a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
72e11ecf70f46a5a63a48e1e2eb68f39

SHA1
33266d0b895e932a06699bb3da98834788929907

SHA256
ad3889d2f8413412c5c89e5e83932777f08ce1ce8985da73fa76a0d1d8ffb9cd

SHA512
a853129913ef1f9ddfb3c115094fb9cafc27dc50624eaa5bc7ae23c88484a5bee8ce805d4fbc87d34a043807272f8e476cee5649bcd08c98f737ed8024e79b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
962f37be8ea758a983610138139b5cee

SHA1
30ef2ec2e42d535f28cfda56f01d23fb570a751b

SHA256
8ce83d7ff840938b1df437271c5d6c3cca4ad4260e1d0e1ab2d54733b628fb07

SHA512
4242421c7026d8466a430c0fee29cfa36b6c6d3b8928145ac3ecb5de502325015b3abf3a9a0d08efe10dbb6468c57a6fec5ba3a9c5978bf5a0b86c571ba0c384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06a4c7f0bb4b3a1de2816b7fdf2a3981

SHA1
c762f162fee1c0ac22b41f8a9b0e621f4ce9d5f9

SHA256
5ee6c40697b5674f8654a564e26de146013c0a4ac6e26fe3a90d79919b0e117d

SHA512
de736bdad944ae74a97324aded92c59d78932fc67ef89f87f691ff0a2199317c75277ebe7bc41b86f2ae4bed27d068202d8ffbf054acd4b53485567fd32cb444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590bdd.TMP

Filesize
1KB

MD5
aa123b8e4867d88c85b92f23bb4dded6

SHA1
4aec416efffab01252790cb1890a360d38590440

SHA256
9e163a319295e898a815d04f4f323155a2d66e6ab85fa4e37f1f52970c0b8d7d

SHA512
995c475c15d4f5f46e7873a5f31010fc9ddd841e698d7fe161301c51b44da7d2f26c1c31f137a71801265c323d43d6398ea6a7353fcc973762b49e7f6a10b731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e8b4c63b-22d4-45a6-95bd-4cd73da8bea7.tmp

Filesize
1KB

MD5
c318a3b45fd5eebda3a8211fc39fca83

SHA1
3319c96d1889eebc90fbf2e46fd9c2ad736f8ef9

SHA256
3e64b885088db08c038572cada96a7bdf7accac095c38620ac378a122ef93273

SHA512
2281bb7bda13b8708df339fdb961b7ba1d11cf23b3a07ad51bc7cd98fe1123b35eecaa251bc8b2b28c12f992c0cf170d73500e985e413d71f9b0d000cc7929e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2e108f7a2507108c388fd51f374fa17

SHA1
473e402218ff33dacbdd50b76c3d3bc49de62a6d

SHA256
888db0c719a2abc69d3cdfd71b83a300c26e6ba5702333e668268b9825d61aa5

SHA512
b44e5a1b64cf7026e9183df249fefabd017bd1c305f784e77656d5c63474dd25b358af93a9bcc0a04d62707f03a5a0b51af70cc607db959a02188f0851a104b4

Download Submit
memory/1552-2-0x000002BB84710000-0x000002BB85710000-memory.dmp

Filesize
16.0MB

Download
memory/1552-208-0x000002BB84710000-0x000002BB85710000-memory.dmp

Filesize
16.0MB

Download
memory/1552-33-0x000002BB849D0000-0x000002BB849E0000-memory.dmp

Filesize
64KB

Download
memory/1552-31-0x000002BB849A0000-0x000002BB849B0000-memory.dmp

Filesize
64KB

Download
memory/1552-32-0x000002BB849C0000-0x000002BB849D0000-memory.dmp

Filesize
64KB

Download
memory/1552-30-0x000002BB84990000-0x000002BB849A0000-memory.dmp

Filesize
64KB

Download
memory/1552-29-0x000002BB82E40000-0x000002BB82E41000-memory.dmp

Filesize
4KB

Download
memory/1552-34-0x000002BB84710000-0x000002BB85710000-memory.dmp

Filesize
16.0MB

Download
memory/1552-27-0x000002BB84710000-0x000002BB85710000-memory.dmp

Filesize
16.0MB

Download
memory/1552-17-0x000002BB82E40000-0x000002BB82E41000-memory.dmp

Filesize
4KB

Download
memory/1552-12-0x000002BB82E40000-0x000002BB82E41000-memory.dmp

Filesize
4KB

Download