d418ca84ca4bb7db72d2b00f8d6225a57909e02f712c7b0e2d9cefb2e18d0737

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

max time kernel
1734s
max time network
1764s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
Size

145KB
MD5

9f16d35de8c312ba0b6f9efd558487fe
SHA1

93040ad968110a6c96c9e2f74f6902aa52b71057
SHA256

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e
SHA512

1534d12e38937d0c9597f67540b1c849728a637eb7dcd1286e28c9bd72a463bdbc492247beffd16e47986157323134edc84eb1d1f2e857d5c4a136427fe99699
SSDEEP

1536:6Cpb2XbbPD1c2lB4a9wL7vkYq0Hk5rR5JkVJ4y/uU/rLV9YYccquTrX7YeOzk+7J:ZyXbt4aEcTrR5OVZ/rLV9Yrcqu3

Score

7^/10

persistence ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageSENDOjIKfiLaScwSjpLVSNMJhMdJVt.jpg"	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4268	msedge.exe
4268	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
4536	identity_helper.exe
4536	identity_helper.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2552 msedge.exe
2552 msedge.exe
2552 msedge.exe
2552 msedge.exe
2552 msedge.exe
2552 msedge.exe
2552 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

description pid process

Token: SeDebugPrivilege 1636 6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

pid	process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

description	pid	process
Token: SeDebugPrivilege	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exemsedge.exe

pid	process
1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exemsedge.exe

pid	process
1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.execmd.exemsedge.exe

description	pid	process	target process
PID 1636 wrote to memory of 3228	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	NOTEPAD.EXE
PID 1636 wrote to memory of 3228	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	NOTEPAD.EXE
PID 1636 wrote to memory of 3228	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	NOTEPAD.EXE
PID 1636 wrote to memory of 5112	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	cmd.exe
PID 1636 wrote to memory of 5112	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	cmd.exe
PID 1636 wrote to memory of 5112	1636	6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe	cmd.exe
PID 5112 wrote to memory of 2552	5112	cmd.exe	msedge.exe
PID 5112 wrote to memory of 2552	5112	cmd.exe	msedge.exe
PID 2552 wrote to memory of 1572	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 1572	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4168	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4268	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 4268	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe
PID 2552 wrote to memory of 3156	2552	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
"C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Read Me First!.txt
  2⤵
  PID:3228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c @echo off & echo github: https://t.me/temon_69 & start https://t.me/temon_69
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/temon_69
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc49f746f8,0x7ffc49f74708,0x7ffc49f74718
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:3156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:1172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
      4⤵
      PID:540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
      4⤵
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6a26b5db6444f0c6729911687e925862

SHA1
7ae080cfb8d8fcba45b66327926f6d839c2cc2be

SHA256
6c897062fc2cc129678673cf8db3f68fba97819981dbd9c2d0a6eb2aa2fbbcbb

SHA512
b2817f25df0c90226fd288bb5c14e743f327f10ff7d7646a71477af730808980383423e71fe0f2790c769105dfec0068f9e5f70dba9c200fdf9efb7135c96942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
242B

MD5
e384a795d1e597feb0a5bebd13dcde50

SHA1
7ce66637789b61ae163c1de62dc996a99cdef796

SHA256
42a6ef02d02be95231cee980c97d4398ac167e7264a5cf838b3e3a2ad2a3380b

SHA512
36f58ca4b73ed5fdfd9b2557d09203189dc9cb3db29ee9716f89bb75a8f6d1c32cca67e597dfefb3b9074be0a024ba51ff40d8024439ccbb16d17316abc2215c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
905c548adef3ed849b06bfa7d82b98e2

SHA1
b5f2af3fa61a3976f7f38052383021a8d4c6bfeb

SHA256
ff47d07d1f4218979a5f56e743ab522abe6ee85af50445c571b7b4b0e9647083

SHA512
168fe6ca43b7d2f43a8eea246d2f8edcd8611a8269d25296dec8a19a948cd2c0972febf245b933798dd2bbdc6d69f33306c82301c20780f2c5c36cf0ffe5dd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
343570ad89d620fd747de91e712d0b1a

SHA1
398f9333ad0982f5d2278315f2a83a119cdff12b

SHA256
4ed3aac076f50c6dfed55383ae14c0e4725bb7659048651ebc54f36685554482

SHA512
d14e2303df12e92d33b19435b91a0539acb0c60c31a60bd05f2d5d90e261ac37112e083b579d9e48c646b86dbba24c4cb273f134d445ffc3e8cde14da7370b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e2652ea9f6ebb6f48a4d36091bb9e64a

SHA1
b9a08709b0ce607ca91ba3548f747221a0d9ffa2

SHA256
f7eed943cc7aafa8b39c84a630b5247bc1d6391f60016a48e7b72838719324f6

SHA512
d7415422357985340a5d321e18a991b0f4deff635298d6ccfdf344c4fe04294191c1ad52d9dcaf0b1d9c8e7798fda1cbe350da56a02824beedaad375e98a8fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Read Me First!.txt

Filesize
266B

MD5
5efe8b27a75520511406ff8ddcbc93bc

SHA1
d3755c5c29e04f356c6852f64e6a318885d93579

SHA256
426906022fed3ebb1427364f16717af29af909bbfa08b387518ead501ef1c7a8

SHA512
6ee99458c294e072e7f4bfaeb34bcca1364b4440485b18dfdcf27aadfd7fad67fff11c3238326f7fbd30be8f3670d2c200c2dc9c5f38e36f0dd14d83ca3a5e7b

Download Submit
\??\pipe\LOCAL\crashpad_2552_AJDDYOFQNONMHOUH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1636-17-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/1636-5-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/1636-4-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/1636-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/1636-3-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/1636-2-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/1636-1-0x0000000000CD0000-0x0000000000CFA000-memory.dmp

Filesize
168KB

Download