c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
Size

1.3MB
MD5

3c086ba52c378dde10453862407a896c
SHA1

5f01625c426cfa1fcfde5957eb09e44f63a79c36
SHA256

c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf
SHA512

8528c2410aa363b4e9c5147fd9f11aa6ba8b740954dcffb802a791c3e9ab8c27ac1ae0b8fffe4fff84646a7a3ab66a6ae8ee54164e0085c9fc534a2b00d773b5
SSDEEP

24576:Qak/7Nk4RZOqKZu0zoFmDcpii9iGn+66rLfJIgtEqPILWz8oDqE:Qak/KZu+k0WdEacJRIo+E

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\K:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\N:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\O:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\V:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\Z:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\J:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\L:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\M:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\S:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\X:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\Y:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\A:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\E:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\I:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\P:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\R:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\T:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\U:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\B:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\G:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\H:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
File opened (read-only)	\??\Q:	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
1680	msedge.exe
1680	msedge.exe
4004	identity_helper.exe
4004	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
Token: SeDebugPrivilege	3008	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
Token: SeDebugPrivilege	4668	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
Token: SeDebugPrivilege	4668	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4668	3008	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe	86
PID 3008 wrote to memory of 4668	3008	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe	86
PID 3008 wrote to memory of 4668	3008	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe	86
PID 4668 wrote to memory of 1680	4668	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe	90
PID 4668 wrote to memory of 1680	4668	c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe	90
PID 1680 wrote to memory of 3968	1680	msedge.exe	91
PID 1680 wrote to memory of 3968	1680	msedge.exe	91
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 2496	1680	msedge.exe	92
PID 1680 wrote to memory of 3176	1680	msedge.exe	93
PID 1680 wrote to memory of 3176	1680	msedge.exe	93
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94
PID 1680 wrote to memory of 4092	1680	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
"C:\Users\Admin\AppData\Local\Temp\c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe
  "C:\Users\Admin\AppData\Local\Temp\c2a3e7049aa6dc5b8c7fa7874d70ec5a00f949741504c301a4e527168e2c45bf.exe" Master
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd786b46f8,0x7ffd786b4708,0x7ffd786b4718
      4⤵
      PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:2496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
      4⤵
      PID:4092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
      4⤵
      PID:384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:2160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
      4⤵
      PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
      4⤵
      PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18320973215774819523,1221271641931906893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
      4⤵
      PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0331fa75ac7846bafcf885ea76d47447

SHA1
5a141ffda430e091153fefc4aa36317422ba28ae

SHA256
64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a

SHA512
f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f0f818d52a59eb6cf9c4dd2a1c844df9

SHA1
26afc4b28c0287274624690bd5bd4786cfe11d16

SHA256
58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61

SHA512
7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc093bb172ce41b9bc7f217a20e94aad

SHA1
89914129ad9077634febd7c8e6eb099f04594a34

SHA256
ef9dd449c92ad52bf7ddaa30cfb1cd08b754c3264207729b79b67ec7664f1d3a

SHA512
548fea751ba98cec52cbe63cc5493a7caffb5db8bb89ede781c4d16615f523763dff2ab93b242bc814f978722c86ae2a90abb60364e6c9f7d876808ac039b52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73320a49011b8c27b2a1a265cb00b5da

SHA1
bf33f5f80897b3c0af33fc77b7f23e60f07c4a9e

SHA256
20ed4910ca4153a07f9d3a925c5d924538037918c00002855ba8a15e5ce24b34

SHA512
3ef884725b9f17842d8a6045a3846d33fb58ba90e2f4796be14fdba1e72a90acd888625230ddd7f18e976630bba854f8f7286a83ab3d8f380e6dc19b60f33eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3ea2ff3a8cd0835aaf79e89bba2198c

SHA1
f450d1c6c892762cc588fc63d089ca6da4fe0416

SHA256
a09f72283a1de05ccbee237db179e4261c6ca8b71b1b1088fd502570ac1af507

SHA512
a38d893a2f66164a9ba1b872168b6266d46d42226adf9df9fcc41c1c615cc7599108d6dcc8d066839b9fa82185df31f401d4b6286ffeb8f48133c85c0842e1b8

Download Submit
memory/3008-2-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3008-12-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3008-5-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3008-0-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3008-4-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3008-1-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-19-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-30-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-20-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-21-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-22-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-23-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-24-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-25-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-26-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-18-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-17-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-16-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-13-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4668-9-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-8-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-10-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-7-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/4668-6-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download