3f8320152704377de150418a3c4c9d07d16d80a6c0d0d8f7289c22c499e33571

Analysis

max time kernel
368s
max time network
330s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2024, 16:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platform-tools/sqlite3.exe
Size

1.3MB
MD5

3b4e7299dd8ad1e2ba3472d15af92024
SHA1

646f4dc386c79c985ac86128720897dbd015ac67
SHA256

3071cb68b6923ed8007398f9f964ac2cc45534f92ea85ed8b283db2b801ed1ec
SHA512

41aab189b684cf14b8d1ad41b49aa017377484b5b8753b4f3a26ef23efc7bd58f8dc1bfb54177dfcb5146bcc66bb39bb88a015daf20b543838de169af00629b8
SSDEEP

24576:XCahsgBTqMPX/wOEsLZr0IyDCtZDTuCnNsgcI/GJYrmpP29l9GSx4RYYw6LZsII7:yahLJPrfHiKFVRIIb9N

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2138828411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31092561"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4696	msedge.exe
4696	msedge.exe
2504	msedge.exe
2504	msedge.exe
4488	identity_helper.exe
4488	identity_helper.exe
2096	msedge.exe
2096	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 420	2504	msedge.exe	95
PID 2504 wrote to memory of 420	2504	msedge.exe	95
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4668	2504	msedge.exe	96
PID 2504 wrote to memory of 4696	2504	msedge.exe	97
PID 2504 wrote to memory of 4696	2504	msedge.exe	97
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98
PID 2504 wrote to memory of 2228	2504	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\platform-tools\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\platform-tools\sqlite3.exe"
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\ResumeSave.gif
1⤵
- Modifies Internet Explorer settings
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff96ee3cb8,0x7fff96ee3cc8,0x7fff96ee3cd8
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1081774494644324445,8811100316605624787,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

Network

DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

89.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.65.42.20.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

138.128.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.128.123.92.in-addr.arpa

IN PTR

Response

138.128.123.92.in-addr.arpa

IN PTR

a92-123-128-138deploystaticakamaitechnologiescom
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.172

a767.dspw65.akamai.net

IN A

96.17.178.206

a767.dspw65.akamai.net

IN A

96.17.178.210

a767.dspw65.akamai.net

IN A

96.17.178.173

a767.dspw65.akamai.net

IN A

96.17.178.202

a767.dspw65.akamai.net

IN A

96.17.178.176

a767.dspw65.akamai.net

IN A

96.17.178.205

a767.dspw65.akamai.net

IN A

96.17.178.208

a767.dspw65.akamai.net

IN A

96.17.178.209
DNS

172.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.178.17.96.in-addr.arpa

IN PTR

Response

172.178.17.96.in-addr.arpa

IN PTR

a96-17-178-172deploystaticakamaitechnologiescom

2.18.66.163:443

www.bing.com

tls

964 B
5.1kB
13
11
52.111.236.22:443

322 B
7
92.123.128.138:443

www.bing.com

tls, http2

msedge.exe

1.1kB
5.2kB
11
13

8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

287 B
595 B
4
4

DNS Request

210.178.17.96.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

30.243.111.52.in-addr.arpa

DNS Request

89.65.42.20.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

286 B
774 B
4
4

DNS Request

71.159.190.20.in-addr.arpa

DNS Request

138.128.123.92.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

96.17.178.172

96.17.178.206

96.17.178.210

96.17.178.173

96.17.178.202

96.17.178.176

96.17.178.205

96.17.178.208

96.17.178.209

DNS Request

172.178.17.96.in-addr.arpa
224.0.0.251:5353

msedge.exe

515 B
8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
814dd544d955c720cba5703ea2ae19df

SHA1
50db8a5f2e9df0b5126640df2af7254b005483fe

SHA256
c32c54b96b3f6e4630acbff9766fd464211175b2d3f8e37cc0e18cf2bb333549

SHA512
bbf23ed50078df899b0c90624e091c1d2267000361cfc75feef1bd2c0c74f92ee43e2bf77ac13a2af96c30f6a4c24d1eaabb392cbbb89b04a844b3111fe19b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac4bf610b8fabaeb59271fbc28e3bc51

SHA1
b8280904742530d0c69a364f606ae498678f2f63

SHA256
dcea9d1bc8ad96acb0fed6eeb0e3249175d066a3a180548ff43da758d3c238e4

SHA512
eed85a8e93555c43afea396bdd568c2c19ffa086bb578f572e1c641dbb3bd2873e1fa4786a9fc4d041562d162b291fb9e205779386c9034b402257bcb3d0651c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
701ff72f2e75f632f96fe6dbece944d4

SHA1
131a6c4a8508b19a705c88fac52aff98ad9d3fd9

SHA256
d2225264a8b4d208b70c8dfcf5040f392556f45c1d4cbe841e8c4f7f860cf218

SHA512
b8f946b035a603ada2b7cc79a680e5ee02af6eead8f8449e2c35cdd91d941ff85a4a666339a4f939baed2c52e9d010a59f27a105eac1294de6d84de1641f3ae7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.