hxxps://bytlly[.]com/2tlvMl

Analysis

max time kernel
80s
max time network
86s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
16/03/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bytlly.com/2tlvMl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT (2).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
680	msedge.exe
680	msedge.exe
1676	msedge.exe
1676	msedge.exe
864	msedge.exe
864	msedge.exe
4924	identity_helper.exe
4924	identity_helper.exe
476	msedge.exe
476	msedge.exe
4164	msedge.exe
4164	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 232	1676	msedge.exe	78
PID 1676 wrote to memory of 232	1676	msedge.exe	78
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 1924	1676	msedge.exe	79
PID 1676 wrote to memory of 680	1676	msedge.exe	80
PID 1676 wrote to memory of 680	1676	msedge.exe	80
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81
PID 1676 wrote to memory of 4604	1676	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bytlly.com/2tlvMl
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff912133cb8,0x7ff912133cc8,0x7ff912133cd8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2973452346921346692,16010659530706046264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ff3824ac26f67691ef8d18d47cec2fab

SHA1
99b7fc918dd6547db5beb7864b518d4972b50487

SHA256
5110d8ff6278d943c83a71a10bb70ec23396032faaaeb22207ab5c7aa3eed2f3

SHA512
9b557f0438d2a3a51e28ce52c74b44d2becfae8ef80a41a76c72d79c500d2d2a95441b8174143c95d71b66a3977b91ec21811d9606d5a398756980bd58bca4d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
912B

MD5
5fb6946057bb0a2719c4dba758783e6e

SHA1
a31167124a45fc79657fdb370c3c274b8867cc71

SHA256
d1abdc94c2c9c79f0d5566c9b14871cf2d5cd46c1ed25af612144e041520ff32

SHA512
79762aba3f51853418d19a7fc23f3a9bb4fd225db04308a3ef4b66e8d1cef4319a86d1503c8faa6802ab8a3f99415c1cc26940167fbfdc8f692678a132426c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65762a63f6755cc6cfac39eb589ee6b5

SHA1
cf7b1fd38c97c74e5b6b26007fafa2741d55b40c

SHA256
5cbb73f31fdfd2b97846f2777c2dd23cbf9265b196640c08bf9d19ebfdef5121

SHA512
936f8b2bebba63ca400fd61bc9155f202d2a55ee6796d59ea06837aab976ba875b76d3ebfee2aa414a1edc533426d21078adb65e443846e4a55e7a07396240f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54651a2e03c9580a2f7ee1a04fd6c74e

SHA1
13d6a57f457e60e2f2692f771da8f9f143fd9f6b

SHA256
e823fcb17879c9ef72994596bbd3f3b9ad0e64693fb8329ac80684e7bf788f82

SHA512
cc915b102e1980d5a8e1cadfb440cad71f9f78acae13969dc8699d7309f4da2a365ae4af288b64966a56fb1da86b023140f22c1b606472707a4b485f535e85ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80b9562cedf9255feb7f1ab03b2fc1dd

SHA1
b10591cecc74a16db857047e5aea0b6ca1da1914

SHA256
b91742fc7de9ebd07b8e1ff8216815408e7fd62ac3e5badc85504ae6025b9444

SHA512
1855dc0abb67922e251b4421fea3d86c43d9d56cde4c90b20506007ade2fa96900cff7cf41b36f24c86f51b2605770cfbed8cb3aa989e15aec3829f6c8a7ea3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43bebd5909c2e83a3e6c834c8ead5847

SHA1
fe848c20813ed449ef31489ceea7794b3a22d30c

SHA256
54f6b11363e75cd6abc747d7f6ca073843787a7f293692ec9b40931854e8c697

SHA512
ad4c9dc0293e5a27e36644606f3edc3c0d3f655e29b6a27fc070914a07b3385b72c3d1032e94b5e39b66e106503b3e93967389d67678a149041978786ddd421e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a626061f16a69616d3c7f726b734203f

SHA1
73ffb15e141d193ae0b93827fe0428ddb739e3cd

SHA256
f1cc1489e0ca33eae95b1ba0abefd74dd1214f5eb14ca489a30740b095dffade

SHA512
87c812595d62c05c709a9d5ccadfdcb09c8d1a47d5aca1854e1850108102979c35cef08ec91e474e3c577dad7e4ce8dc49891cf454d01633b1a709661365492c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1de08d20598650a64fa7e389dd00531f

SHA1
9277f4f5c228abfe6d47f7459a705346d634123f

SHA256
12d68d55e7c5b57557703c3c5783bf70872f3949f34446f4f612017a1f614097

SHA512
c18243f847b709b3d52193367a8d542bb9ef672ccfecf3043eafacc82db43cc2e3ba88b499d181cfdcd8d1ba4e07db527ba4860462bb7a92eba13d465ad21d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed8c.TMP

Filesize
537B

MD5
5c476e28423f0aa073d819cde107493a

SHA1
8e2427bb367c88f6f7054a1cb78a89736ba68f96

SHA256
058e0cdaf4f31aa07bdf1ff2350c5c6951d7b192e967c8359dd4aebcda867a5a

SHA512
ada9d22e458dea7ebaaad277fb3cfb9a47324c5eded7a4ca8e6d0f4eabdc27da44fb4a2c12d78de4239ea8c2fdf03a42eff1518eb8b0e935737fa024e84636cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\af18cfd8-0fe5-4942-af58-da9a4a44708c.tmp

Filesize
5KB

MD5
f9f459939cb8d5879b3b89f379f8de98

SHA1
cc391ecd8a53d25718b2f58f7d3f3bd3dac4d73b

SHA256
e18e1cc049bfc4b6f8d7ce47d16b4da9725a5c7e53f339d78561b1606790b6c1

SHA512
bc78ff0f26b4a13fbcc31432329ace91fd4170d06aafd3d40fee9e8ba50c8a50beddf11314cdfca39a0df7814f2d7b4712dc41ac6afe8999cf6b6a45770bd99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6c41b1b6114e52d889e556d9c1f6aaf

SHA1
e6f23b985246c41fe773106f12283e0bdd06fab1

SHA256
b70bb7376800e7e1e340592f9c413635a6edd726c1668fda729eae7751d3e5e4

SHA512
c13d4157b778dd93b891a3b102eacaf68f739ebfd2d225a318d07490c23e2512611520ded11626bfeec8bd92093c8d33547707b034ef037d98b352d0ca6aed30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1332373d5b6a9f63f3764eb83e628730

SHA1
93cdde18b6b90356a9f41c5f11f2bf95d8972e68

SHA256
794d6a57840d0f137d8451e1e3f06becd53dedcba7027d0ce666d81969f27280

SHA512
620f7dcb6265d74bf08e57b157afa0dcc4fe7592aede94ca31ebcb94490e71752670be22e0b6943ee23e4b13af0068125e0656386fa7f1a547121e51807bee0e

Download Submit
C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT (2).zip

Filesize
4.4MB

MD5
99cc03d56d5053022a7746e495daaa09

SHA1
13ef21cb8115922cb98ec24abf6c92aa80bccedc

SHA256
a7723fe756cacd08e6123c698c5d5c889fa980d980a1e3249631784976a9e755

SHA512
f0ce17aa77005843293321a08a0f561fadcc81773906a582acbc1a62e5881d513c6dd84a3866efd73d759e6f790be010b3a2b9c8c3bf48819baf507ce0213a8b

Download Submit
C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT.zip

Filesize
1.7MB

MD5
d92c06f1fb9fd79961542a5660967303

SHA1
c02d2c43a348826c33b358cb787d6662c6d3987c

SHA256
e4ce0e31ae77b115f4afc8c9bee830ca3a7b0a444c3c1de36e8ff1bd955c44d4

SHA512
a8fb0f0363427833f4ecb6afa923a11a4ca41c961326d6a091b2700392b7eff8f7d3272cecea1be2698696dff9cb781466100dd202e8404ba6aa422033af24d5

Download Submit
C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT.zip

Filesize
4.4MB

MD5
9f317185af81cb988878a2a24fe96d6a

SHA1
877828291ad5fef9f74510ccb3b9d6fc54e6c01b

SHA256
2b4f495aadee1640344d68a7da08aec036db0d3b0ce000bf0c0776404ecb15ee

SHA512
5baace932addade6b9bd5b1e7c2574450a2fbff232aaa75df7079144d16c0ddaeb11dd68149575d3ec5e6fb4fb17cf90b93f6c5bc45c6e59ced01a54b81071fa

Download Submit
C:\Users\Admin\Downloads\Boom-Library-Toolbox_GKL6JVwnYT.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit