258a142a0e0cbb673697eabf88315dd8bfdcab2856dea0db12430ac938fb94b9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258a142a0e0cbb673697eabf88315dd8bfdcab2856dea0db12430ac938fb94b9.xls
Size

111KB
MD5

1aebe4c509eb170bd5fbb5af3e53e1d6
SHA1

623c7967628952c7a86ead2cbf72f32ab7f2d3d2
SHA256

258a142a0e0cbb673697eabf88315dd8bfdcab2856dea0db12430ac938fb94b9
SHA512

e1ef59f9652aae3f6325515b86a88030ae595e3010244eb44a9b75c5c6b271bfbaefa761ecb674640eb3e85ad39901a3df1b336ce19f438c1a7abb7f1a9a36a8
SSDEEP

3072:90WF2Q0AVhYkbJIm46+nhLwFiLJU2vDR:90W8KVhYW/4/F9Lu2vt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1476	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
100	msedge.exe
100	msedge.exe
4108	msedge.exe
4108	msedge.exe
4000	msedge.exe
4000	msedge.exe
3268	msedge.exe
3268	msedge.exe
1656	identity_helper.exe
1656	identity_helper.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4108	1476	EXCEL.EXE	88
PID 1476 wrote to memory of 4108	1476	EXCEL.EXE	88
PID 4108 wrote to memory of 2056	4108	msedge.exe	89
PID 4108 wrote to memory of 2056	4108	msedge.exe	89
PID 1476 wrote to memory of 3876	1476	EXCEL.EXE	90
PID 1476 wrote to memory of 3876	1476	EXCEL.EXE	90
PID 3876 wrote to memory of 2720	3876	msedge.exe	91
PID 3876 wrote to memory of 2720	3876	msedge.exe	91
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 2104	4108	msedge.exe	92
PID 4108 wrote to memory of 100	4108	msedge.exe	93
PID 4108 wrote to memory of 100	4108	msedge.exe	93
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94
PID 4108 wrote to memory of 3668	4108	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\258a142a0e0cbb673697eabf88315dd8bfdcab2856dea0db12430ac938fb94b9.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://isols.co/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=15763294
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe702246f8,0x7ffe70224708,0x7ffe70224718
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1456 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3112 /prefetch:8
    3⤵
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
    3⤵
    PID:1276
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3759000852157356522,677988656329186952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://isols.co/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=15763294
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe702246f8,0x7ffe70224708,0x7ffe70224718
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3990543040767905148,13533035582101783077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
91a6f46c3ca6ce8afa4567b42bb70a9b

SHA1
56e59f89fcb135572bbaccf7ac08ab204b96323e

SHA256
c27f77ada2add988c0608ca4a86e3ad01438cd76dffdf7343dea166d9c72b19a

SHA512
3c53aad37a25664fa6aa7431328ca21f14d00a73032ec4521bff8b5ee4b2d932159bbee5e6db904498f3f25f3ef367333cc26b59212062ef17b7f2c5f9f0929a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
176B

MD5
d73f11a47cead40e325cccc9c11edee9

SHA1
79be7f4d3bbbe2a11307e8d5eea988c1f08f7687

SHA256
72a7f74891e1209cd3fe322441dcb150a17ed92e5c993699fa2bff72168d3c1d

SHA512
0e947f05f3bddd8a8c0a3f4922ffde01b67fb1656861ec447207c24a8e4e145483c4c8057bf3f3ad6bdba495afa693e43d2de499a01f49291fdf566cafe876b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c374c4fb7779be58c8d15269de33c65d

SHA1
6c5470ab05cc293210b8b44708f859a5b63ddf77

SHA256
8650ba9a963ab0f792e6fda06a99d9467dcbf773eee2951931242c91b96ea8a3

SHA512
8e8fdd7dec3716b4690d7c5f9ae337e796ca25b6a335b6890e763cd7005b09a77edc44e635da1a614b5414637cfee9e9fd8f51a477452560b70e709ae9c88493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f592812ce6a668dd56977e1d24f0baae

SHA1
dafbac43bd12bdafdd7e92ee67db4f04ba438ca8

SHA256
b2972050a565b0bd74b5e6866c03d937f0db2dccbf4aeb05d076ec7d5e936548

SHA512
649488650f7b01620f0839b69e37396a5612790a11dd0aa6cb2ad685fc33a5079f54b13ed809e00cdd6bf7082e9d71c3b417e1b0e386f502b72bd4795e4a8d79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bbf8a0fd-8aad-4261-be5b-411845b236b9.tmp

Filesize
6KB

MD5
9ae73ce8caae8b2f2f1f0ab0d1ee18d4

SHA1
9a0c7cb070a15d804fd277538acba0617f5773ff

SHA256
8b62e2fff717d504864a65cea7f79bded46ef65f6fa225a57ce5c0c25036ad58

SHA512
c26277864e8f72d6b5d1ab545d622fe1b576a45ec70478e5ae84a0ef736f01ee67c4107e291ff2d229ef664e75630322b0851bde37133c14cb948d075f600e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bd1c35d2992ad3101edc03e84fb3a00

SHA1
e81aa214e5593f9b04983b996cf53cbe7ed7f62e

SHA256
24a91a5fa19f89ab946767adc5147f5b2015b658c891840aba204c89df26e50f

SHA512
69f7921ede4db8cba90a7ed69502f90b58097d94294ba898bfd7051159c32ea5f19934e0c989b87da5d16852c91c1eef312dd08855a0bd827e759ca3e4ef84b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
10082b57a31b23784d856b3a8c20f273

SHA1
45b66d1f9fc49e528cfe5564b8f9aeb8f841583e

SHA256
b79cb4e25007f24dc23539b3dc6c50d9aa63e3e7f71e51ff6ebc20d2a8cd84a2

SHA512
a6c919219ae431e9a072f83f3eaaaa41a572a031a036516461f8221d909c3750e6beb7995107976dc12e1f26d21972f868ace159f75dc6e77669cd8cac8889fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
db19ad16cee1e1cf6b44d3f7269e91f4

SHA1
94b8f24b5277fc50f0e2240eb1bc3c27f0be0fdb

SHA256
0f269e988aea32877745e84eb795d7aa6b48f23817f8ba70d699a0fd3de99e8f

SHA512
bad8f31f4936cd38c4a87f9d0557d540e2b852e2ca7c12b315c4547c708fde642b87c7b8400c5460f3a9d8b0a43045c8f178c9a1ea67b385a0ab5a478d7d8a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
25aa95aa5269487e2261d0642b50cf86

SHA1
46fd26f1c592c8b37a3484ca45dc644a3614b3f0

SHA256
3e74b7b339e9b9e0dc62628d9e0d7602b10c97e4b8f15382ffe41b714e577500

SHA512
cf225a25682831b8aa6660eed8a0ef68d81f24c6786668d04bf07c0b6a081d95700f479e7e124cdd255062371d9b483f80ddaa9719ffc4ebb64afc68248c921c

Download Submit
C:\Users\Admin\Downloads\kingofthejunglewhoiskinglionisthekingofthejunglewhybecausehisattitudeistotallydifferentfromtheotheranimalsthatwhyheistillalsokingofthejungle___lionislvoeothers.doc

Filesize
29KB

MD5
7b5d3add1b86b47b353097ff332e00c0

SHA1
3cc2ffbfa4f96a28a95b5af9d056c615039f33d0

SHA256
26705e951d84d15fc4304eb0799f6a09f3ab412fb59cb8afffe9d81ae1918f10

SHA512
7bb2f0930a03d81263fd154e3aca6050ae6b3680b74a87a93a9e427599221522105e346b8aa35bcf5dc89e49e9511ce442e7e9b85ef52c5b00a69b8a729cb17b

Download Submit
memory/1476-19-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-17-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-8-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-7-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-6-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-3-0x00007FFE55970000-0x00007FFE55980000-memory.dmp

Filesize
64KB

Download
memory/1476-2-0x00007FFE55970000-0x00007FFE55980000-memory.dmp

Filesize
64KB

Download
memory/1476-1-0x00007FFE55970000-0x00007FFE55980000-memory.dmp

Filesize
64KB

Download
memory/1476-0-0x00007FFE55970000-0x00007FFE55980000-memory.dmp

Filesize
64KB

Download
memory/1476-11-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-13-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-15-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-16-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-9-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-4-0x00007FFE55970000-0x00007FFE55980000-memory.dmp

Filesize
64KB

Download
memory/1476-20-0x00007FFE53070000-0x00007FFE53080000-memory.dmp

Filesize
64KB

Download
memory/1476-22-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-23-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-21-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-18-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-14-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-12-0x00007FFE53070000-0x00007FFE53080000-memory.dmp

Filesize
64KB

Download
memory/1476-180-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-10-0x00007FFE958F0000-0x00007FFE95AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-5-0x00007FFE9598D000-0x00007FFE9598E000-memory.dmp

Filesize
4KB

Download