hxxps://www[.]google[.]com/aclk?sa=l&ai=DChcSEwjWg5Lx6uaDAxWKQkECHXKZCh8YABACGgJ3cw&ase=2&gclid=EAIaIQobChMI1oOS8ermgwMVikJBAh1ymQofEAAYAyAAEgJlz_D_BwE&sig=AOD64_2P-FVyPqO_-A-qfuN1eKL1lgKFWw&q&nis=6&adurl=hxxps://certified[.]windowserrorhelp[.]com/automatically-repair-windows-errors/?error%3DWindows%2520Errors%26gad_source%3D5&nb=0&nm=13&nx=252&ny=15&is=632x768

Analysis

max time kernel
150s
max time network
169s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/aclk?sa=l&ai=DChcSEwjWg5Lx6uaDAxWKQkECHXKZCh8YABACGgJ3cw&ase=2&gclid=EAIaIQobChMI1oOS8ermgwMVikJBAh1ymQofEAAYAyAAEgJlz_D_BwE&sig=AOD64_2P-FVyPqO_-A-qfuN1eKL1lgKFWw&q&nis=6&adurl=https://certified.windowserrorhelp.com/automatically-repair-windows-errors/?error%3DWindows%2520Errors%26gad_source%3D5&nb=0&nm=13&nx=252&ny=15&is=632x768

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipgeolocation.io
25	api.ipgeolocation.io
28	api.ipgeolocation.io

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
4792	msedge.exe
4792	msedge.exe
580	msedge.exe
580	msedge.exe
240	identity_helper.exe
240	identity_helper.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2332	4792	msedge.exe	78
PID 4792 wrote to memory of 2332	4792	msedge.exe	78
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 3868	4792	msedge.exe	80
PID 4792 wrote to memory of 2704	4792	msedge.exe	81
PID 4792 wrote to memory of 2704	4792	msedge.exe	81
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83
PID 4792 wrote to memory of 3392	4792	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/aclk?sa=l&ai=DChcSEwjWg5Lx6uaDAxWKQkECHXKZCh8YABACGgJ3cw&ase=2&gclid=EAIaIQobChMI1oOS8ermgwMVikJBAh1ymQofEAAYAyAAEgJlz_D_BwE&sig=AOD64_2P-FVyPqO_-A-qfuN1eKL1lgKFWw&q&nis=6&adurl=https://certified.windowserrorhelp.com/automatically-repair-windows-errors/?error%3DWindows%2520Errors%26gad_source%3D5&nb=0&nm=13&nx=252&ny=15&is=632x768
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ff9f32a3cb8,0x7ff9f32a3cc8,0x7ff9f32a3cd8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,17734601650870869905,7750208971879177009,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6696 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
92e040d7c1eeb7646714b53e4a95eb91

SHA1
4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d

SHA256
5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468

SHA512
e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
83KB

MD5
7cf857dfad367806c4fda100bd61c765

SHA1
886059d9c22030dc503495d08e3c78203938357a

SHA256
bd36bef5c7319b4d7f23ec93786d818a52d0ba3f35b16c6c44b128286d50712d

SHA512
00839515913ac53e0f52590f664aa9e2d240c170fe8376d8ab0c65b0cb54aed348e596cc565733325ac67ce210793ab1fcdda2e538409b67f37ce222b7cc663c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
91KB

MD5
c214a06858acc683869abb7d4d3cb00a

SHA1
c780414129222bfd5dbb0053e10fb54216f65dfc

SHA256
bbb7902bda7c85249384695cdffbf18c76c5a6daf0702c2c6d16ce2770d9513c

SHA512
bb45f41582f29244531ef81f058e60c1ce3abafcabfa8bc5d81b99e3b1fbaa12155582db945c52d4704e18436caffa4ede72aeee443c39a26e1e23352820430e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
47KB

MD5
7e98141e0021bfb70c32c287a7677379

SHA1
829e307f5e588840c881d9a0dac65a845c114b7f

SHA256
29429c17c89610c2fac0d4d2121467ebe2657a1614ec486717be7a020d315a16

SHA512
8c594b5fa13e5bcbb4246d81101ccaa9a20ac1161c6eef9f68f39a0a743b94cfecce770749b608068647b56533db336e202b356bacecf422903eaca5dce7d443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
84KB

MD5
0fcb508b7e11faa08a5574ad39d62e4e

SHA1
4cdee9e570e1c3a85e500f7c701e85722e472931

SHA256
069dd2ed95059983e3c0e588e0da2e0651765c64f72890cdf003399d87020a08

SHA512
64d21cb2b578223f98615ddb2fc29e3cca87deccdc8974fbc4b30a84b14cc9c5bf22e06b5a507902286fd7721dc3c044c8908f08cc62171d66adc34c974f1cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
0ce1e116aa13ef2f0fcd29eb5b3a89c9

SHA1
efcc706bfe5ac499e1fd643849ca0e82a9371704

SHA256
f90debcc647ca90a45f5e934dee8f6dbcddc1edcbdeec0b4e0a4e2057bf32ed5

SHA512
00523067a541846be65b2b53ac0ba97f3a9415734d1deaa0e0d1b864da7ff343dedbd26db3bb23f87aed8d6a1cf71f9d559d6f2ff12e350dc5197b145240f5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
7bfe856132761c0d7bcdfa93812336f8

SHA1
fd3ba3008f567c84f887e249011b18116e7e3238

SHA256
91b24d6406a4af9576256f6d27a5d9bc067313692af60d686335e53c07455380

SHA512
fdf65c1403a310d925322688dca4e05d2f3c7928a913b963e945c74aeff653f14f224207f025817ff4ddf812c7628c7214e78e219ae45a301ed98628f7409d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
530a5b0c039ecf4629a1d05a9f38b8d6

SHA1
e67339b8adea3c67779803bdc82b37e9f6748590

SHA256
fbf51db7df448ab1f27a3b1c74bc238a1496370611d8326c973f88c3fbfd0fe7

SHA512
ce6593eaf7947e8d42586e38a8c7b04327787317b12753de0a09561e0a2678d00815394178d8433c3f963eb6382655ddec9a986dd4d7c4176b9bbb2c9adbec0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
86041656851fd402a324e4170cfd5781

SHA1
009b1d01b58e71f75b87a56c1b84c36da3bce42d

SHA256
1449887484c0f0c8d9af90fb5695b14b3de49bc104ae3f5e0bdc5b2f1571c05d

SHA512
71aee5a4e876855139de9ce6a1358533245c355df1b25c1523793a6db988ced3e473abc83f7c9d3817373930a35a662f6293b7912a0b8c8ec52f99a870da0603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a85c09d1dbd20f4738d6e35306fd0c74

SHA1
c61ff7a1f4b9130ef452041fd1d5ad7c572cc13d

SHA256
0fd8ff0636f5fe95e0ee6fa0b7d197611cc87d8f16254e8c85aa2921b0cea464

SHA512
ce63c008bd9f77459c47c00729f0d4ff4bf1a628f0307706e4cb23f877a0ae5e73635479f50224f58d2e3407005fbf60e3529c7f47051dae433306ebc2c6b1b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
007d74c3fa4f0f3c1c6ab48b44ad5e58

SHA1
978f559d9415e0587c20a60e27bb782bdb4ea77c

SHA256
a85d1b6266f5bfef3a85a46fc8110f54e71184d647bbe0d64c35b619221c6cc5

SHA512
af821e294bd69b9a3a4de744736a4f2825968e08d865c416528ce2e3a7d375c372f7e92b297bc790081ed06b51d3e6d12a61f6bcbe96303d0de531cc1565a5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
065dc92359332aeaed6cebf566fbc65a

SHA1
9e3c93e7be02ee6b6f2ea40359dcd1d7212972a3

SHA256
0d9e159fe21b6d1f3e06b05b871d8c29761599f78290122e9e2b75946026937f

SHA512
9729ceb7382a30da3828e63b02be35a549ef46dc6eb98c3f8a9a4e262defc2574fab83b1fd7e59cbcee7da884a70014082ecab469cb0c94797d9400284957da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
55b351a2fbfa328b68d3bd76337db207

SHA1
d6906a9cce6133d4e74ab574c8d1a9bbc2b1a7fe

SHA256
8ec6b19cef38eda93f5ca0f65e2c31b99541b6870fc1415ba2b4dd11fa4ab549

SHA512
bd2ae46c4c9bb258bf59a61212b0aeb61ae3165107dfe599841666d0e64e9d8dee661b9816a36f25f97810cd268f84b0daa1e5d31ad74019243688a00ba0c4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ca8f7fa5524adb48dede5d455f4ddb6

SHA1
6730d0010bb4c09a16b36606c925111a67e67637

SHA256
05fa55a1f18cc2db54498d7553821a0a1ed6005b932fc1c21554040805ec8db0

SHA512
cf12eafb556857595a630de5f796d71556f384d4650b75987691f604faf4bb5f2f39b12456f81ad0ac1a18fdfe535bea72e0a5d8b762de3ea207f489f5607471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
58e2b179dbb10d049fe23616966bfb2a

SHA1
b4f722b7e798fb6347837b51b05a4314a8219d84

SHA256
cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4

SHA512
ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b33c8f023417bff2070775e73bb97d61

SHA1
3622bbe9128ab08ec9ed72bbf9a68cb810ce2e8e

SHA256
acf1154db55f08beefb7891101f3fed17550e8d0214536231df64c48bac5a82f

SHA512
f6e8d19beb5ffe3dfc48b27714f045b3d6aadf1eb25355de0c835f07b1c5698d59ed38afe59f5d9293a1c3afa04ec070ff99aee690ce39684091e613a674f5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
267956174fd60ec02a8e4c08caf2452b

SHA1
00728117982d038a3ff9a4e02e46414ec3567e23

SHA256
20a68c62c35580cf4d9936a584bc9ec5f898a497130979cb118bdeb7eab7b5d9

SHA512
0dc5678e56c9bf834ae28be3aa9abe5f9748a4ea3ad2f6bcf9f2cfb62ba474f1dee2eb9740b14623ab98fdb96db60b06282c68abfbeda0053cd8a5b951b23e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f3b6.TMP

Filesize
1KB

MD5
06d937bd8fdd510eee54c0b404b509d7

SHA1
486cf8ff02acbc495582d727a421addbf418912b

SHA256
fd5dd9c0c334279dfd5cb3e42ce00e472a68d75c8904947dc1b594db89b3af6f

SHA512
fbc035ec9350ff048df1552fd766b4caf282c5c0ac10697c8aa1b2038a0435c85dbd991375250a23e0c5dea491c87303050564d66f6a7bd173bf0c2c85199630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
29e080369610febad91f17f82ccb8b91

SHA1
9315ac730c8449e44e2d026a79301c382bf3c3a8

SHA256
2d47cc19d34fc6ab00b90d258344bf3af0a0841c5b435b98caebb40172a68d9d

SHA512
25e61e36a38dc21b2b17ae271fd2ca67ea44af74522c28c296f743e24c80bb739b3fd56dda4a85cde69721883437287cebe522697d7ea13ffb33c73f831b07a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b63d37ce97d442dde6ef2a574a866a55

SHA1
e2a76a78119f82314c496da9663c306a343e675a

SHA256
69f5b8a767e253db34f59945a24ea66d79e7e5c6877644222f667560f61a8c0f

SHA512
d53a41437027704efbb7bcec31996f09ecf4f7f4d8cc555cb3f412350d74beec5c6b3d45375485062063e2f94094fff7f52500693a826104085efba5becda491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07b4d60342934982cad3184bb3e9c91c

SHA1
e2e94ca84c442c0ea9094735a646e313d99a480f

SHA256
2ac454532d98e298a74179b79356cff80b9943ba8e317ef350645b4026be22ff

SHA512
3d75ccc8e62731170a9de470cb450b5b8528f78aa111e6b1e415d3d841ca9faaefe6ab4ed8ab55bbf56e7ce07c575e5e0d7c02e544283230c9fdd061d9847b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
106eca00a91f51fc34fa40abead15d7e

SHA1
0bbff198fa53e56a798d0cf0244460eca0ab08e3

SHA256
873bd7797576329877451e77cb01819ac7fd848a037ff042be110f7480f82e20

SHA512
d2852e0c619e22078456ef9f101ef08c6c9ef02320059f7c3927ac20471fe03252299f18efe12fcff3a23364bb523312c412318ee8f4b43eb47697f7d286ba05

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 929550.crdownload

Filesize
5.6MB

MD5
4ceb9008d2ed7b5f2f8b65d3563550b2

SHA1
068aaf8eeb11724430f781c13c5235bc0d124c09

SHA256
153ed9d60c2a913c92455f1369fd42d17eeb0fddbf4f13f10929736a69be7f2d

SHA512
94dc880887d76cb14f3185330cdb0d7b0e4a74ad8e080f6c9c5aa7dff4c59427a28b963bef37ea4a5fa89b5137703100cb7fb2ab751bc41640dce56156bb8dc3

Download Submit