hxxps://s2[.]dosya[.]tc/server31/o4ji5u/sender[.]zip[.]html

Analysis

max time kernel
240s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 07:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://s2.dosya.tc/server31/o4ji5u/sender.zip.html

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
158	discord.com
159	discord.com
168	discord.com
170	discord.com
171	discord.com
156	discord.com
157	discord.com
160	discord.com
161	discord.com
169	discord.com
172	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
1016	msedge.exe
1016	msedge.exe
2984	identity_helper.exe
2984	identity_helper.exe
5216	msedge.exe
5216	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 4084	1016	msedge.exe	84
PID 1016 wrote to memory of 4084	1016	msedge.exe	84
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 4528	1016	msedge.exe	85
PID 1016 wrote to memory of 5076	1016	msedge.exe	86
PID 1016 wrote to memory of 5076	1016	msedge.exe	86
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87
PID 1016 wrote to memory of 216	1016	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://s2.dosya.tc/server31/o4ji5u/sender.zip.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff842eb46f8,0x7ff842eb4708,0x7ff842eb4718
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9524270465646836215,8875646845729812083,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5704

C:\Users\Admin\Downloads\sender\sender\sender.exe
"C:\Users\Admin\Downloads\sender\sender\sender.exe"
1⤵
PID:1788

C:\Users\Admin\Downloads\sender\sender\sender.exe
"C:\Users\Admin\Downloads\sender\sender\sender.exe"
1⤵
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
8f9c4574482f98a8b06339d6365ebb1d

SHA1
904b6f4dadee3cfb7aa6eac640a46e905fab32eb

SHA256
a95a00f7901fd1cff625ef22973f384a1e6af469e55f3a96990aad2a084cafdf

SHA512
c810b900a8e2441bde6f6fe4e0a0e355d796b6cd859ba2824875a40bcb53e5eb9867f09185aa46c1c46351b868fabce3d3da773af72bd2fb606698cfc9a8b0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d3161ba773f38849b4cf240ffab1b66c

SHA1
c1040d218ab2c5eb17fb840d8d36b7ab31e00e2a

SHA256
51c2b5771e5f323597ff99ea7ad2c0abc0a28c67ce923f441b8855e1ad190b25

SHA512
3096e317652ffbaa910317939d6b2e5a0aecd9a332b92339ddd2d63af32d310512bc9edf352486646de4ea76cbb7887f069bbe1e9a93079e8b3c9915b1af44fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3e2c559288566ce89d32478d15afad9f

SHA1
d219af6f83be1ff0c44faf27690e4e7aa4a55de9

SHA256
546c570de36e75ce89683c3444d49844455dbf97acd9e9c61d581633759d4092

SHA512
fd935dbee4e8096a98487f32fc152c4d4d8ec37ff3afea31f552d40abbd2e84828b07f92869f82bdcc70865ad850ede80c79c2c7ab32216e79491d9d06c02e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59b1170b73ebbe466d7306e5b900d529

SHA1
9b83df51e9468b7885a9ed7905c62121d8f469ad

SHA256
5fcd56e3c83b601686339815417f20c1eabfc2213de5e6d2de76dd56cd34b227

SHA512
9ea29d4c8edcfa387575ab9326bb49518f42b9208f467a281042e9782cf8b257a30cff6e9c4e39fe8d51309a29c967ae0a75a5e8f902bc8eff89cb0718063597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8289c1b330a931b034521480fa46192a

SHA1
bd84aa5c4a93c2a1ffc5c145ccfb1b34bc0d29e7

SHA256
7fb3d32a9102d238c14fdc4fc38a34e6d54d1f8305a0b563ac5681612cc22a0b

SHA512
045a4fbd0a621dc83bef1902df93a3a21bc044a0eed4c495983ea05cf257a6b7d7d3070c8aeaeb4435935ddbf22cff318b3c2c3b41d664c381806c7d949a0b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
749413fc82bb82aa110ac08881f2fa97

SHA1
909cbd1dd4e20c5c0291ff0a12131f7e517ee968

SHA256
995fcf14844e9d0f39e4fefaecd186a472c28fdf57598606b9cb2732ec4f60f5

SHA512
ada776b2cc30b75482d3cc3a42fa562d6a5d5888b13a5d006cf13f48e7b9cc2553f94e7360b3801cfe701875b9661adcbb717cbc6cdfd2320bbe53bd78bd0bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
534B

MD5
f2e5d554f5ea2be87797ff00a563700a

SHA1
565e7e827e2c8ae0ee1888a492f6ce29301addf8

SHA256
13af7930bf562e552f0e34e1fe883b79ebf4756f39d9faae7c28699e30bea5d7

SHA512
752f1bd2c866f65b1f9b33d1e86bfe2c12659d5b326357c41d289a97d8e40d7f6155962643c135075b8c949660bfb6ed816933911e7cfc8acd0e796423cc7f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a35.TMP

Filesize
534B

MD5
5efa25c96f507551bd52113706128f27

SHA1
a0bf7b1b2430673c991297f35f48b032dcd02b2a

SHA256
4319973118d422db7424d5fcf239550251d058ed929f498ed1de45a2decd5726

SHA512
bdbd7bd94a2e63647d4361ad56a1c52b73a4cfd35a16492f37a13a7a28fd8a26c731dc336b45b080fc1d514f1201471a7c7b905c5be4dfc059d100092975fb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d9ae65da00151553988cfc410666ea5

SHA1
283eb38f7b68319bd43c10c9f219b79eac0c3527

SHA256
9fa0afc1f0c7a5470558b46d4982087a83d41a476fe158b99ae195561661c2c3

SHA512
9b7e6313a34e7a8fe87958185cf78631eb79549a3e939aeb620c19c9e9be626bf0aec8a83111029bb3c18d114e3bc24419b9af76d1126250c28c998e4af91055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c08b4e58c78c5888a1215c60bb514531

SHA1
3b30f861b40be28915c1c091003948265ed4e0ac

SHA256
eba7823c55198d260e9474270e9f1bf0e07c04019ffcf1ab9b4a33dc849b0951

SHA512
551aacf85c89dfe0ef80c2c36a03ceb8201faafedd1be4095ce7ff29ccdfb06ae1b227068cf2f52bb2b96404a4cfc175183f4217ca2a1d56fafd8e29e9cdb190

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f15db624de298375ec1a374c6085bc9a

SHA1
6b02ed26e26dc53adf5a9fb143a1db687f2a128c

SHA256
8a7fe081d4337409a1e1c7acaf7d0adac17e7da400efdd7cc9d94b92f8e4c527

SHA512
d29df09e2a07f4f251aa3e6a3d403d18cd9abcf805bf67daeef8b664387acbc28528ee7c6e461b097236455a2e8c6310a6ca652ba85bec708cbe8776c9f681e2

Download Submit
memory/1788-309-0x00007FF82C850000-0x00007FF82CAB3000-memory.dmp

Filesize
2.4MB

Download
memory/5820-319-0x00007FF82E230000-0x00007FF82E493000-memory.dmp

Filesize
2.4MB

Download