hxxps://fc-lc[.]xyz/17MbVUc2

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fc-lc.xyz/17MbVUc2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
1612	msedge.exe
1612	msedge.exe
4880	identity_helper.exe
4880	identity_helper.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3260	1612	msedge.exe	82
PID 1612 wrote to memory of 3260	1612	msedge.exe	82
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 1212	1612	msedge.exe	83
PID 1612 wrote to memory of 3060	1612	msedge.exe	84
PID 1612 wrote to memory of 3060	1612	msedge.exe	84
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85
PID 1612 wrote to memory of 3220	1612	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fc-lc.xyz/17MbVUc2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab30c46f8,0x7ffab30c4708,0x7ffab30c4718
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5168 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13199601905769882454,1421051319097077333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
17KB

MD5
6e97f144c08afabce16df8fec19aa35c

SHA1
1e8e40a05a3b210d733a8d5f641a78b2e4e7d812

SHA256
44c4114db56c2039c5f205915ab38a2f96fabe2b59e444c8a9f82257b878a972

SHA512
503e403615eb6583f1c4fa76bf00b5def8eecc5a8b0da17221fbf503f0cf91783cbc0e97237ebee4c69be9e8f1442c7c3362469bf49e3a31b299f4effe3cc354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
30KB

MD5
1c05e941f2b036f979d733979cca4c03

SHA1
ad47c7457a804857a8f9ab2dd88aff300c92a256

SHA256
d7df62b5fde12fd3d945c139a132d9799ae1657fdaec5c04dcf517440fe2a4bd

SHA512
da03b63f00b5c2dffe3082a973bee14ff6fb75a75878fdbf6eb4975922e0bc509f68030311049c171752b58f2dc8500586da655267d874c2466fb46f6a62824f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
30KB

MD5
3899f3784801cd15adbdb5c617a53426

SHA1
d37df1ec265701b0527dc0c1e814cf40def8f0ee

SHA256
f6d84799ad0031021fd9591dd1f29eed4d318b582e9f433187bde5b6898a432d

SHA512
690b786457101878db223abddc1f6990e85e9e9b9e7420bbe1a9a4504257ab6ca755b362f6e10c8910db9e23d8ed957bf1d152303794d42fa7a293a6f3e40b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
99KB

MD5
d19d5bd83ca6c5ad854794f180fda3eb

SHA1
be01c10f078346fc7cdec11be4e88811de717034

SHA256
4412d27a28d17a0332641810d456609b5b2e3d3c97d2c9550e61ffd47f14c6fc

SHA512
cf10c1c1fc0ca93d573265d408a43ce5fdde8b82b265fcd9b3c237a4e996dd8b6f4f558e7341f2cd63be28746fe505094dcc3760b15a17088594a758b62f9f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
24KB

MD5
f782de7f00a1e90076b6b77a05fa908a

SHA1
4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1

SHA256
d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968

SHA512
78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5c65ca1b9bad091c_0

Filesize
19KB

MD5
6a59be393eba1b677d6c0d9710246068

SHA1
2bc8ecd45db16a6a48be3d68e7941922461e7423

SHA256
12525fa567c43ea484cdd8f0082ec13939d7aa0b643aa5d1924a9e32549e0b04

SHA512
a84e9782aa40ab62fa52d8bec49c050429bee0ea90154bd4592e48103afb94c94cbbc6d5656e067e06c0c006a876fe0b757edb838a21d0b50daf9c67cead4125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
93601d5e565618d255f8fdf27f17b0ee

SHA1
f1f9b20d967010e32e471aa5ffeed4f6af5fdea0

SHA256
39c06788e04f92affadce04d24a240d4acdf3da8ebd3b4b6362780a24b2aa260

SHA512
f67db8b47a6ca5aed47c9bb423bfaa28dc24e3b9b3e37459b4d35f30659c938f75b449806c909d7da3594dfc88150f17cffccb40b210ccb4e4153b08ab8adedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
b285d84709d102e604c85f7d8de0df7b

SHA1
583d723432b67c83d188f9a4ed40a79aa357f200

SHA256
f2c9378b52d7d3553cf11990b1e2ddbe81f6291c3f6d0ac4c15f1b6153df8c2a

SHA512
8bd794300da1b80310a2a3da088781b881c205a33815dc1cda571146514ed4bee7dcd2e3850b7c520e07e1876700d56fead70f2b4f45f1921f2b30cfbd884e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3f04614f927e64bfcf9884370565ce73

SHA1
70a63a566a9c1f895310080c988f6661b2222436

SHA256
eff9b3e1a2b11780788a807970f74554c35619dcd8c0fd4d099b55b1fb2f34d3

SHA512
8431a1df281dd04384b409b4a6093eef366b4109ec2ae28d21c5712df791ceb640ee58c970b31924a7fcc20c88ad31a15ecba3236121aa5a812dc7da72925c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c36bc54502f3d9e98f9973d42b879220

SHA1
3377403806e291f52e8dd69fb85dfc1e0bf16ba5

SHA256
590299fec6d132ff6583da7e54d0ccc421f93a101dc012c0df6d90894d610479

SHA512
8ce437b5118c66b7ac23eaaadd188cc6a9f1baa78c439795d50882bd2a9bbb81d476c3ed8dea34b563748c77c2eb9a02d8fedc636448b665d1f91e9c97a19918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36cfdf2f8ab151ab72372e4ad168d12f

SHA1
765c10e0806856d51bb3dbfe4e4bc935364b1e32

SHA256
c294c152e6165140b3c6f04b4d7fa05859c3ed73b134412affe98f9c23783cbd

SHA512
4d7885b1073c419885a3cf4b1b67dfc663858a0b3179e4323807e2cc60586fa934a23012abc7a5f199959d6dbb35b9456cf8cc0fc4455253d11af6b040a099b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b14953b3eca8ed532d7e479a442b65c2

SHA1
23d7b1180c41e6335462275aa39fa89c3cc7608d

SHA256
d1fc0fe006c5118484105dbbc22bece706da324b760a7b025100c9f4ea9bcb16

SHA512
5069a233f5a387ceded1f7129cbdb8b00331765cad47cafc58223405ef4cfd7a4e67e166fcac006ac2913b4d30f681254e1540edb79edfc40308601b7de8e5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
da297048ac60bb24c89d545fef977cf4

SHA1
4de4984d16fc9bbcf84df9eff1351883d874bff7

SHA256
46f8f8dd9f1e1760fc5c8b35b175d34a046b7141488b4fba58d5b2657124cead

SHA512
140343956c88de1a5c7881f22583cd4e60f106366c6427981b382fca3b21c29b76be9fb5e8f567270919e8aba9cf1828f10649169c7fa22498f2e56deae11175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9f518cb8eed8514fac8e820e7f0b580

SHA1
771a684a2faefa6f6d338a6f60b92db890b534db

SHA256
24dccab558cc5e4da81cbe61331ec0b594cc7b2b87a006322e2418a784a48034

SHA512
225d98bf14c9c9e169efdc97b60f1c1bc00e2a458f1879f1c340a9b380e6764b9d0a3357de96b37479230a1ec5733f747feffb305f07f3311130b1e2a96fc837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a5bd9f6f446b86fd5e49490e94fd79fb

SHA1
1de11b27be7a7d5111ceded832a9c8414560ade9

SHA256
d381339b6643a4cb7598bf326bf164d9a2beeddf9f4f9a986d0b02b94415e611

SHA512
d8531256b531c362903f53e61e156b587dbb77567d0c684a64acfc8ecf37d6fbecf09a163ce983ceebd03b1598679324fcf2489ea5b2897c1f5aa3650d03d011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
56c5e7c8ce6f345ce4be555758bf4895

SHA1
8f5cf349bd8b9abf0919ff70d59e3a1ab2535424

SHA256
e1d0c1e99d3f2cec4617ac59ca771ffed3ca651f5f0aa1f769db1a3ea4820e48

SHA512
8944776bfa6e44962b7c148f2f24a40f9708347a22311bbd84f5aa5729787c93f6e115592b0bb1b10059c374e09cb6b86057a1f3f7bfaf75cc0696ceadddac42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
059332480b8f799a6a67cdc936be0a24

SHA1
e2d7c14bcc11d025e1f5230f1c8558696f638c11

SHA256
07bb877abe36d0cd31286f73c38f0caacbb5a96251b56ece20ed56cdbc2aa7eb

SHA512
24801038bda1451dd62102a9c7b302c50307d1c3d1e7325c33a2ea231c82a70d7f433d7ed9e51994324747789c7db60f3819766f00d8c73b1de131eee4e675bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c2264bdf6b6c471f916d2e4418c1cf5c

SHA1
dc03d43ba3ee20bf96005357b6c8f2cf279270ba

SHA256
495d7467cde5cd841eab84ab7724d95a35883d965a8e62a3295e038181ee4a53

SHA512
5052342cdf64ff5a0bd7942b3ebe42c7f73f3eed06af984a72e6a5a7a91639a3ebe00a1b006c0f67d974f7c5e1bb276d97eba4ced787ae6961998675e14fff8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
d372f05e8b66874eed5d6fed54dbf2ab

SHA1
b65d622f780a9af186797beb6032e3de6c32de8b

SHA256
d6a24dba479e181c0c4befdd043a48a24648c0955aebf38d1a162d5b871c5489

SHA512
900b2cbaaf85b68eab63ff0c6aa214b0edfe96640c1b587e89b1fcb81c6b69ddb374d9b04e828ce2baaa65f6c2470551c75ee11496cbecde44ead11ea6c06060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cfa4.TMP

Filesize
537B

MD5
c684cf937b8066bc4b7ae6e46064b14f

SHA1
5e3041e0b39ffa264e578d23b250a6d90fe45d47

SHA256
1c05b895ae6460013edfb8392a0ece6e5472cb56f0a274b0de1ba1900e6a2c32

SHA512
1818bd6fe94335f1c15385ce228a32f8124fb69f02da3a31a1504782d80b711819923bbb2d0c783571f13648454c739d0eaf3055a786f4d1bd70631bd87d3c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
589aafb08524fe4728df053681f735f8

SHA1
535c707b71b36a00b9be2afe6994455562b062a8

SHA256
1e410ee01bb6a1f3c5927080a8ad0f330b9497c73810ee9e4f337283c7eb4906

SHA512
6b99a8542793cd73f91f69d45f6a56bd30a3960c52b4965d83eb4e55f07cccfdcbc6b4760391c420657e189bc2bc6ffc49672e878548eeb85809675230f130bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
6608955574765daed47fc22bf39ced92

SHA1
8ccf3041652ef5e54840bff47e80ebce01b2299a

SHA256
4c4c1a3f81fae201d55198622d31bfac105b804c531f8ac90b0356e6a76672b3

SHA512
620c8a48b73b064af630b4397e26101fc93f798b6a6d1d9d19520ca147113fede3d1d492b8b8ebc8b39edb5f885b9a4b1e93a1dfa30d671c08cfbb6b1b4fd750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
dfab15b00de47650383d911a4e91b5a3

SHA1
2fe15a365535374f54f2d92d14e2254f241de3d3

SHA256
bfc7329ad5f571ec47298082482edb3b8b5f1d04e0859a2a5839d9ff7916b599

SHA512
95ec625098415ae582bd73626cfb63a4a05bf9c9015d2b1a4d98d19251c3769b2f6eac222ccde1089b2eb95988255f576fcd3e4c4415646fc872b00125e1be2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
788e5dcc717631eaf74055d116f24841

SHA1
2816d89db93462d50b1514797236ddfc6ed071aa

SHA256
95515c75189bd5fda9c2b4f4a047eaa1ceb747d26d7a966bd10e60f7d641a4dc

SHA512
8249b2e09bf07ccaf548d97fcb92176f623173681e9f77b42177d55174f7204755bfa130bc7b6d2a03f50fdfe75f912af2b226e940b2ece160ffb945a8a686d8

Download Submit