bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Resubmissions

11-07-2024 03:36

240711-d53f4azaqc 1

11-07-2024 03:32

240711-d3s5msyhna 1

Analysis

max time kernel
449s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{A412C280-4E09-40AD-8657-67FFD4414F55}	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
3052	msedge.exe
3052	msedge.exe
4996	identity_helper.exe
4996	identity_helper.exe
2432	msedge.exe
2432	msedge.exe
848	msedge.exe
848	msedge.exe
3872	msedge.exe
3872	msedge.exe
1864	msedge.exe
1864	msedge.exe
4428	msedge.exe
4428	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4948	7zG.exe
Token: 35	4948	7zG.exe
Token: SeSecurityPrivilege	4948	7zG.exe
Token: SeSecurityPrivilege	4948	7zG.exe
Token: SeRestorePrivilege	2440	7zG.exe
Token: 35	2440	7zG.exe
Token: SeSecurityPrivilege	2440	7zG.exe
Token: SeSecurityPrivilege	2440	7zG.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
4948	7zG.exe
2440	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1084	3052	msedge.exe	89
PID 3052 wrote to memory of 1084	3052	msedge.exe	89
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 1628	3052	msedge.exe	90
PID 3052 wrote to memory of 4956	3052	msedge.exe	91
PID 3052 wrote to memory of 4956	3052	msedge.exe	91
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92
PID 3052 wrote to memory of 4500	3052	msedge.exe	92

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbca5e46f8,0x7ffbca5e4708,0x7ffbca5e4718
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7864134307717083759,5314616712801088166,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ZOD-master\ZOD-master\42\" -ad -an -ai#7zMap9838:110:7zEvent32616
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ZOD-master\ZOD-master\42\*\" -ad -an -ai#7zMap11295:1922:7zEvent7533
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
43KB

MD5
3a8e93c58f214d4622af88801ae9bfce

SHA1
22caf6fbb49eeb1697eaf9163b5763f2d62bfabb

SHA256
59ee19c450be3359b056eafc37e00e51a88ac2ccd690f8be043b6c4c185b19f8

SHA512
ee2a7471bb43c0244e07cf1a76031b09fbb39176ec87e07a806608a402aa20567d1a9c5b7a0dc45c9cf7e2c42dc601eaf475b4687bca75245256a6a384c49378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
32f58aaf5a515bdbb3d13f72879d2bf0

SHA1
1742585148dcce5d9a85464fdc5b25f394e4736b

SHA256
b2be2096fe98a9b55d92512ae7859e8ba6a54be03afd7eb454b220f9ed888ec8

SHA512
28c693e9a85da7cd7441209c60c4da4b9b6b7da7555c86c2039387b470c453a474a07597069959cccc2840360f76dbb307f88a77e52248adcf8de71ab99cbe19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7bc38eb3039d1636b3b8d9fcd60a3286

SHA1
cfbab1b50ab810be2a8620b6b7d96b8db611fce0

SHA256
9f9f2a11908b3c5fc6ee051bbf22524402c0d522432a507ba9c53f0df88cd8c9

SHA512
5fbd63372bfa6aa3f9aad5fffc8f773f49dd64509d42a3c93396f11ca4c2e418b24b0d597ebe554f1d186cfa68e8e8916ff284bdef39a7bc786503d1c7a4fa41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e3ce4321a0744204ad9b57945c1bfda2

SHA1
25c44f77960c9953d70f29b932a6f05cf2600acf

SHA256
f62db78a858a0e6eb625627806fb6e348ee37dfc9efa3bd724727f853b9ada07

SHA512
b3cc2eb2fdf510de20a727984c646df74c814625b8bf9c2cc2ae4061bd5920ea6d6f6fa8e541b78c560a9b83a7d3b82e35ab536ad4fc57b2cc9001fe0003273e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
f1f8d7d87256cef0d59caf364cf0d428

SHA1
55b9fd442a802304bc58f145137e0850e2b1e1b7

SHA256
a80f5ec6e4801bc631364370c4b777adef093d7265a7b40f6269ca5df7d3d903

SHA512
a1bd0689c0d6dff14f2b327dbf8d78b30d707a1f80074d1c048e1233b59802191f8eda3d7e2a804e69bd2936a6cbfaab07e9ce729706126f242b4748edbe2b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5678305d9305c2e84748a16621651b4a

SHA1
771407b44cc62d5d81c2943f715c5e1176f94ae9

SHA256
2bfee781a8a4534587f46853714c719d6a0608c3fe38d9bbb5d50824e37c415a

SHA512
d0a45367396b0db0486d3d5efafb1b5c26c6f02af75ca5dbf39b544c84b431069d5ab62ccd5e24b5a22e6db87f69ceeb41249fed291d9e1262541b31defab093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
056c8891816066e2c95bb688b8e06493

SHA1
6c69418819d427bfdcd9132b63ad62cb667c1c29

SHA256
581e51dc25d2d916cd1567cf78da560fa5513268cc38f72bf2a048119b87eec3

SHA512
cd28ed95cdd5e170368ac5debeb90f15953db4beaabe9d59ad41d9756b0d74eeca3951dac8693c6cc3bec8aea7ecc9e954312afcdfa83b8f510ee13020c7fc07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0cec44840ec7da6437629b0cac920db5

SHA1
158f2f6c8c91f376920d47204a80bfc65e5cb1f8

SHA256
393adc761572a18343290e5f6a3da06e8659657f950d9f998f92a5de08be5b11

SHA512
8f77bbac0b658d0c371af96334c5d73481167738c2a8aec785750c24422480e0ae86d5ad729336693423b0dd48ae65e31668765afb7a7be7e574720e7e208cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b0820a1e948ea3a8e7107bc9edc5fcec

SHA1
e93fe95059906f41ea37ee463f8ae1e7a56009bc

SHA256
3c7210344c4d5bbefcb9b5147340a497098b89357e0a48c731dfce2116f84701

SHA512
a42ecdaecc1feef39b5ccc6aa533e0bd3115a1b5ac2d3090e68cf455703c294e5080d83699133c361f42295a5b9e6f0010bd3cadb7131e72eb698b746e85cdd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c51b74131c6eb18a2b71ef198ed015d4

SHA1
f3b4af34f025721306a564b2f4fef7dc65d6b668

SHA256
12476972193bcd5f010b3ba44d98061add1eb34cd929c51f0923e6a43bbc185a

SHA512
2215d77bb5d9cc4929f65ebbd5278d84e13a2942901cb98f843f38a3e52bab09f6a0b138b65b526f7644819c5ea596ce1d9ef0948e0ae0699dee6245fdef24cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f5e5e85c2e5095ae7a82a18e1713865b

SHA1
4e2c3519135090393a676cf42315d8dfb3765575

SHA256
8fccba7403ee7104bc2cd87a0cbacd86411201c1bd9be80d3799d849850cc77c

SHA512
864bc97fa247dae6f37ca5b9b0c996ad9257dfd0e229611486b1d1e19d95964ad892690e9a4e4f2beea47738c7522802a067c22b6d9d072273b2c1f8618ca165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
4f7658464f348964d371f161d943f871

SHA1
8e7e7c1f96c2ee1ad47ca8910e6d421b9af8588f

SHA256
fc30ec99824130f5c8248ed7e59b74ea17d174915cf404b9662fd48f08dc68bf

SHA512
2b5b0ceb802fb63c64ce7dcf09bdde6ec7bfd0f1ac8287aeaf9fba99a5fa479bcbaab74403e89f06a630f6acc124e9fc1acf2a629166cf0bf6a47a4200513a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f470cf0c6ed857d0e270426f83e78051

SHA1
2a3863a71fb7526b5fc0ddf7c32432f35012e35f

SHA256
96a6b75ba2c669152b218de271217362950d66ea764186c7fdd53d0b191527be

SHA512
7caa0ee59cb8a7d5c16f7e30073372831fa5e6bf1e740788e94886d521fa3a3ccb2ebff1c5e5e1b08760979108cbf1bfa993f6256ef0f3c7cb28b620c68df382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5893fe.TMP

Filesize
534B

MD5
6f49e50ea9b2ec6dcc993b32228a2715

SHA1
5beda4f5951918a17238078ee5f5902285855f08

SHA256
754b2553892bb1e94917bf0495ccaaef94fdb67d29827ab051a17043b453d642

SHA512
36b6f2c0d1ce1732f22216a8850a377f006ba35314993a3c77851e6aa4800d8d9b3da9866f38aac8371dc3b30a4893c659068d40f48a9e00d1d35fa736186306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
371ce3e2b27f6dde52304a2c24831076

SHA1
01e2c8e592ff2639e9253e63d73e1cace7077c1b

SHA256
6363c835e243ff21576ef5d17c69659cac4f77204adce5fb00f6346c8ec22965

SHA512
bf1c7d48ab85b5ad0d0f2fcf666766035fd1b1cd8038563b6d188dfa81e4675e8572123936e38aa77d7ab5b2831e8f9930181ea022e70dbad4199814d834e9c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
48f218d3b2fb1cda9b6c2cc0909f0a6f

SHA1
0cfe854956ce2df59c4f44fdc6f7c77619d2f720

SHA256
3c1562f038aa0405366a5aa746a19cf302f7c6a8827f50d394694dd32975a206

SHA512
e246056ef1b40ebe78dfbb89b362c728b1a6bb927a12fbcb13d5722855ecc0c4efc563596d9d08fc7f3e6abebf33af94621add9ba875f130dd1e6501186f74b3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 506817.crdownload

Filesize
1KB

MD5
f426dc8be2d7be99124b2d6fe5ea2057

SHA1
3402c1f79a21fcefac4a4b9e14629bed49be7b90

SHA256
4323131a2bcb5271f4a66a269f4a59b0552289030e03749e81ded9c09b1f15f3

SHA512
658ac2670c754449ee5c8a91ef58318ab01420a1926524bc048a08fa2dee1ad596f6119af3df83c5d60b374e880d29d2d69334c0155e24f1e4127a30a6a1540f

Download Submit
C:\Users\Admin\Downloads\ZOD-master\ZOD-master\42\lib 0\book 2.zip

Filesize
28KB

MD5
38605a41eda691b378c8304bf914c777

SHA1
75f2667ccacce7c7947c186dca5029ffee720c01

SHA256
f791bea6d653eddcaf8be57e45b698e75f105e28a20c50f519ad43a2b2e27b2a

SHA512
d1876ebad38543260b3c4a2b83b69546da52b093f459890835ad02ea65ea712e91f40c5bf9ae0313fa2f4fec303cea2348c5272a4ac70088d1dbffb7d5163374

Download Submit
C:\Users\Admin\Downloads\ZOD-master\ZOD-master\42\lib 2.zip

Filesize
34KB

MD5
0a76bd3e26768bba68aca3d210997069

SHA1
753690994a18cf58ed0fe3749d16448b763047b8

SHA256
9056b87f079861d1b0f041317d6415927d9ffb6498ce2530ff90fda69fa64e78

SHA512
14408ea7f44bc365a58d7480fff9ea3b10fa21bfbd3363c6e30b74a4d4121677e20ce1108cce12c203f0760768aee1c1aa69b130e090c409f9a516ea02d70c49

Download Submit