hxxps://blackmagicpartners[.]com/

Resubmissions

25-04-2024 08:41

240425-klw9ashb87 10

25-04-2024 08:38

240425-kjprfahb71 7

Analysis

max time kernel
130s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://blackmagicpartners.com/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

䕅瘵㍮㜷癸x䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe䕅瘵㍮㜷癸x.exe

pid	process
6056	䕅瘵㍮㜷癸x
4272	䕅瘵㍮㜷癸x.exe
5280	䕅瘵㍮㜷癸x.exe
3620	䕅瘵㍮㜷癸x.exe
5308	䕅瘵㍮㜷癸x.exe
5424	䕅瘵㍮㜷癸x.exe
4404	䕅瘵㍮㜷癸x.exe
4788	䕅瘵㍮㜷癸x.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Davinci Contract.pdf.exe

description pid process target process

PID 5604 set thread context of 6056 5604 Davinci Contract.pdf.exe 䕅瘵㍮㜷癸x
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5260 6056 WerFault.exe 䕅瘵㍮㜷癸x

description	pid	process	target process
PID 5604 set thread context of 6056	5604	Davinci Contract.pdf.exe	䕅瘵㍮㜷癸x

pid	pid_target	process	target process
5260	6056	WerFault.exe	䕅瘵㍮㜷癸x

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings msedge.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Davinci Contract.pdf.exe

pid process

5604 Davinci Contract.pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	msedge.exe

pid	process
5604	Davinci Contract.pdf.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3784	msedge.exe
3784	msedge.exe
4992	msedge.exe
4992	msedge.exe
4880	identity_helper.exe
4880	identity_helper.exe
5308	msedge.exe
5308	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Davinci Contract.pdf.exe

pid process

5604 Davinci Contract.pdf.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe
4992 msedge.exe

pid	process
5604	Davinci Contract.pdf.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

msedge.exeDavinci Contract.pdf.exe

pid	process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
5604	Davinci Contract.pdf.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4992 wrote to memory of 3244	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3244	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4112	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3784	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3784	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 4708	4992	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blackmagicpartners.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc72a46f8,0x7ffdc72a4708,0x7ffdc72a4718
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6430462833793409860,4533372276399048518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5920

C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Davinci Contract.pdf.exe
"C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Davinci Contract.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5604
- C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x
  "C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x"
  2⤵
  - Executes dropped EXE
  PID:6056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 372
    3⤵
    - Program crash
    PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6056 -ip 6056
1⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:5280

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:3620

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:5308

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:5424

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe
"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x.exe"
1⤵
- Executes dropped EXE
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
327102326e83f423359e2b664bafd6a8

SHA1
3964d85c4868d7e3d772f4d751a2fffe05fd01b6

SHA256
ef5a84193e1a56a1972805aff4212a8bedd81cb4bba82ccf64d7395c71023a94

SHA512
8313d02285dfce1e1976a7e9bb7f283f10ea45e535bd9931cf8feb3cd032c8cb7f994a6fdecfca4c96526b5816bcb59f0298791418ff0a026921036773f63590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
751B

MD5
9977ba92b2eff675063c097c8233a0a3

SHA1
a0ac0d58c18b02aa2484e5e3ab6e10bc101d28cd

SHA256
e236473452d3e31ab8052fa5269ed8cb2d0b63e47109487097b27c4ef6181560

SHA512
a37bb8431df7c7a16f9980f1c4cafa33dff183e745d551381e67e6c1aa579dcbde3265960f381fd496d6cd8aa11c818b4917f0437c3bcbbdb3aea1b7386e1095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85c65d6d3d2c2e33cb0a8ffe4b6f77c6

SHA1
fb4f9b3e9f4bddb2b0b89069a11e0ac6cfe1fc1f

SHA256
c6ac5b9fbe2552d5acc9f268517973dcdcfccc9ac308eed916ecb59231a7453a

SHA512
ece6929a62cfcf56fb7494e976c54532fcaebcc66ec104224bb95287e6a6c8cdaf9b976fa9393ac7c9beb1908e254709e8148a1a73289321f75c9f679b5c6bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f26160aa3cf259a5c26fd7ea9bf8b83d

SHA1
a92ba47bf8f121a701d2757114437c198bd85637

SHA256
61512db3fd09d71950fcc2628f0e0ea895cda7d1bc4611603cc1c57ba5258b7f

SHA512
c29ae4e2de03ee04f27576c087c1d332c986ac7ce72198089f3b28e798a216ae03b6f8f271ecc6a75e68d3ec00b48f767d380b27301c020bc46a7f65ac97f6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d959ac2941f54408a68c067370d66c1

SHA1
87f6a45bf11e6cc104cbd073afb1cf8163999801

SHA256
17f52c914e356f332c9caa6899487b4f4f0bb2bf3d13c2d8827d786839fb4e3a

SHA512
442fc880afbcf8962ab81396775551a0853e540f072ce3a0a2eb7bedc671e86e115b21063e4cbead117026e851e86804c2945e37d2faa2a654893111b3351e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
4b8779ac62fc41f4328964078938b819

SHA1
6691bd74c32243e251e3706738301c98bf1adfcd

SHA256
2bd30979e6910119fe7c3958529bf088576011a8349ad3324352431e74995da2

SHA512
335d87f69ee71e337dca89b19ecede3a6f3f7c0b94c87c822418396add8ecb279e4f4240075b8017f81a1d87e2f1c421a33c1dd0609f065b978a729316b878ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
b50c526297819c939f66b9be0e59008c

SHA1
3002df1b2315bac04a8497177ea355b0d8439c98

SHA256
4cebef40e1c546484f918d40bb530e05c871f87552bc11902a4eda29ec5bb3ed

SHA512
2cbd7174d6b3d5d4a7084b74a6cf83b9368f39458efff1d233e7ba626ecca55cde94770e335ceda133932ee3e99a0f37bdfc8dbc58e51de2d3934a0b89951a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
1e3851091e5b9decd39c03408347cf65

SHA1
9e0837c0f9c8fdf282ae1f23ef889b04afb27321

SHA256
8469a4c67749d681c0cf3f7d8c69e22cec65a15247947fb58973741dac3747db

SHA512
106c57d06cde444a37ecd8d8028a6b33f3c5208f52bbbc48281c02c78cfa828bff21b204be10d9eea86a6a5a63f5e648fa9e76cadd3d0d3b609872d7a17ddffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
e822397eea71781feb910efaa0f0fccb

SHA1
2d23a2d1e3ac93a5afd7013273cbbf64c842f9a0

SHA256
2b352bbe6acdad39618f0eb5699939486fd756ef1c59275dddbf6f092300c192

SHA512
27386df004a06d4bdedb863a1a3c9472a2a2adc76ccad4b43c56815f736b9e0e490fb058508c3340c13c931f7d7df579225e8ef3ba63cd01720198009c433a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d86e.TMP

Filesize
370B

MD5
96baa082ca683a52b714a8ea399bfc58

SHA1
d9da44dd6a4e4b6d3823e2c50c141f25e0a17aca

SHA256
f437fb651448516e5212a2890a48b0545711926e9e08580c727dd39eb0dca507

SHA512
520686dd719e4d8dedf8a733a33763614eea09fce43e37abe61b9c62f49d9e216907efa275e2e9a0197753cfb85f490e2e51c563702ada39286f4352f2ef1639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db97a2c2c564beecc34022608c5ab06b

SHA1
21aaa1f11a68c0aaa5ad733e0aa3d099e1dd365d

SHA256
60553c4ccfe3c2b1bb8f5f4a92682788257d5d34e6f70c2be051208cee9bc9fb

SHA512
b707ef57737c044a4be540f237916fad9f93fead6e8b4095c9beb9cc7cfbc5a8fb86f9c690b5ff603b0cab6f01b7d246e0703cbddf241682a109368faae7417e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
017efc6a4e3d7b309f743d1f0045df9d

SHA1
b66d2fe34e4dbde81c9b013cf9bed38b9bf4206c

SHA256
e974a8f7134668fc393d40c565525d9ab7b6c45dd30c7287e5320ec7e13e2178

SHA512
518ea354669dccb49af77bc20b0f4cbe8b7951411261d7e25c1d7bc0c968b1d51d361da28eb94dbade2ae3dc04f010c8860311473fa4e72071ec1e5c2f6f61ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x

Filesize
38KB

MD5
3992f464696b0eeff236aef93b1fdbd5

SHA1
8dddabaea6b342efc4f5b244420a0af055ae691e

SHA256
0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

SHA512
27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

Download Submit
\??\pipe\LOCAL\crashpad_4992_OGLXVTCHAEEYKDBH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/6056-295-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/6056-293-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/6056-289-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download