02a90df8c769c773b7ff0e7303bebf4cd3e9441dbfacd46c64ed5a0aa2957fbf

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a90df8c769c773b7ff0e7303bebf4cd3e9441dbfacd46c64ed5a0aa2957fbf.xls
Size

140KB
MD5

4d0482de41055d74cadae1b2e96652d1
SHA1

98208fb0065a0a858b020b291e581b63744f812b
SHA256

02a90df8c769c773b7ff0e7303bebf4cd3e9441dbfacd46c64ed5a0aa2957fbf
SHA512

03ff26f15857c9756bb700c7034f711498a0807d8df36d97ef31d9153270862d9e5fdb7c7480876fed87a739edb6fe8da5a1f0548c678a48c795f103ff3247e0
SSDEEP

3072:qoUuFuPwuUZjsVj132HDb/OQ7iBc5YCxY1m0xWDkV86EN:NFCwuUZgVjpQb/XWBKy1H/9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3168 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5516	msedge.exe
5516	msedge.exe
1404	msedge.exe
1404	msedge.exe
5708	msedge.exe
5708	msedge.exe
5136	identity_helper.exe
5136	identity_helper.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5708 msedge.exe
5708 msedge.exe
5708 msedge.exe
5708 msedge.exe
5708 msedge.exe
5708 msedge.exe
5708 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE
3168	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmsedge.exemsedge.exe

description	pid	process	target process
PID 3168 wrote to memory of 5708	3168	EXCEL.EXE	msedge.exe
PID 3168 wrote to memory of 5708	3168	EXCEL.EXE	msedge.exe
PID 5708 wrote to memory of 3620	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3620	5708	msedge.exe	msedge.exe
PID 3168 wrote to memory of 3952	3168	EXCEL.EXE	msedge.exe
PID 3168 wrote to memory of 3952	3168	EXCEL.EXE	msedge.exe
PID 3952 wrote to memory of 5508	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 5508	3952	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 3084	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 1404	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 1404	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe
PID 5708 wrote to memory of 4912	5708	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\02a90df8c769c773b7ff0e7303bebf4cd3e9441dbfacd46c64ed5a0aa2957fbf.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ilang.in/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=12638378
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa6646f8,0x7ff9fa664708,0x7ff9fa664718
3⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
3⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
3⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
3⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
3⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
3⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
3⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
3⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
3⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
3⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6600668761360526890,15090044218499180566,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ilang.in/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=12638378
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fa6646f8,0x7ff9fa664708,0x7ff9fa664718
3⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1360625488450849181,16994046840686447777,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1360625488450849181,16994046840686447777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\35deaa26-6451-49be-a15f-1b8b20c55082.tmp

Filesize
11KB

MD5
00fc378a802c79c79c58c6c3c5a8f948

SHA1
4e03d28dd16ffd2738cc0878fb772b7dff94f988

SHA256
99743624a0ed2bdad7a50d9a6f168effb6a2a3ba5293621d8615cafc36bee934

SHA512
733023bf8b10c23e186488512851eb610ac0194eadb7ddc6d4b7e22aaf27f80c836829814b51de8e69dda4da1d61abf876cb9cef84227138feb94de75d0dfd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
176B

MD5
9cfc767fdb7f255dddb2a008aa18e7e7

SHA1
81f3edc820817f8fd5cfe9d6621aadd0f7c42666

SHA256
8a524e068237c3addc96cd5d6bc75c763246aeee570eeee0df2b6255bb11335e

SHA512
d25014e11a4143f8b0985ccff389d035613e017ce2904657bfd776e5663e8a15c81535ba9e87d1c80e3d7a976b39815a5e123ace516380aa7534380312dc7cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
114466cf7c624d1e48be4b609f256eb2

SHA1
b5bafb0e74d409fcc0c62301f3600587be11f3d8

SHA256
048bcfed01101ece68dc0aa1c0c2990ed679d4243de3ff03ed8476afb6a83e66

SHA512
d82d35eb7d45ccae6e4c277d4b0fa8aa8d9a6dfef9de6ee077677ad6b31e1518a07a08b1981e951b49d869d3479a91d6390d891fd6c05c1c10fe27b0f366c800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
013cb6644c07577c0c8d1b50972c9d45

SHA1
8aa63eec91688a6d54cc368f4ce0bd602b1095c9

SHA256
aa88010f9c387aee026821d77b8453b41cb8c8a69e280e6fc7689db1c899b9bf

SHA512
fa6edd3bf845dd97051c4a7ea5515e2fd0b6c1d5618e3ca9a9a73b21fc4cd17c55bf02db5d6709ba474ae6f43641060b68b32d4fc20f7a604cdeecb5390f206b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0662a15f26948b5288e17c62debc5a47

SHA1
0d48d15b694147a3ef9bc86e916ca45e8beb727f

SHA256
5902e4e50b3498f7c8e20b7a87f660d18e1a3f91ad8978869997ce704aaa7ab6

SHA512
0ab8c44d6b51de22db0e653ec3b0cdb4879b0bdaf42e082f15fa0d3a6f68b67a2a96ecab3c1b8adc3f555601f6b54edbda4577b858e6023ee3597ba2a391abb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
754d51a0f08380dee78b274e3a093f23

SHA1
1d0c0d44191e277a7497abb041b11609ac09e756

SHA256
d241330cbe271bda01a3b98c5ce569372bf13726d862c7ff69409df1946383c5

SHA512
e30a9e122ce18bcddb2138ff5f161c85650a993c3d6107914cc10ed69d8d8a2c2b6c4cdf862de0d6b10c040b468ae60c3f2ff765a53cdf143ea50d256b8d2fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
fe4b402b74d8ceab6484ba10564f3d30

SHA1
237b70fff2d0755c54212870aca0829989a42b84

SHA256
79f0322a958e3091923b2996005a01d5dc5e79311578584cff0e04a97083bab2

SHA512
6848b4cc61ec0f75b06b71a34379b5ad4007935bab766ebec778d3d4b319df6a848da3f5fd816409f9026b816ba817ab50822eacb54fb8bbcf9b24a86593ceb1

Download Submit
\??\pipe\LOCAL\crashpad_5708_WGQSNHDHHCSNUHTL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3168-10-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-9-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-14-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

Filesize
64KB

Download
memory/3168-15-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-16-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-17-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-19-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-18-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-11-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

Filesize
64KB

Download
memory/3168-12-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-7-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-13-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-0-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/3168-8-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-1-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/3168-4-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/3168-5-0x00007FFA2184D000-0x00007FFA2184E000-memory.dmp

Filesize
4KB

Download
memory/3168-6-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-3-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/3168-138-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-2-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download