hxxps://itchio-mirror[.]cb031a832f44726753d6267436f3b414[.]r2[.]cloudflarestorage[.]com/upload2/game/1186924/4412630?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3edfcce40115d057d0b5606758e7e9ee%2F20240803%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240803T052812Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=2434b0267918b0f733879eddf722c9729ddf0961f0da7fb3ddf85b9ff753547b

Analysis

max time kernel
64s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/08/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://itchio-mirror.cb031a832f44726753d6267436f3b414.r2.cloudflarestorage.com/upload2/game/1186924/4412630?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3edfcce40115d057d0b5606758e7e9ee%2F20240803%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240803T052812Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=2434b0267918b0f733879eddf722c9729ddf0961f0da7fb3ddf85b9ff753547b

Score

4^/10

defense_evasion discovery

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BonziKill.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{01682684-3B4C-48D4-81A6-6A1150371A16}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 764297.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BonziKill.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
832	msedge.exe
832	msedge.exe
1600	msedge.exe
1600	msedge.exe
4120	msedge.exe
4120	msedge.exe
572	identity_helper.exe
572	identity_helper.exe
3452	msedge.exe
3452	msedge.exe
3484	msedge.exe
3484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3960	1600	msedge.exe	78
PID 1600 wrote to memory of 3960	1600	msedge.exe	78
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 4448	1600	msedge.exe	79
PID 1600 wrote to memory of 832	1600	msedge.exe	80
PID 1600 wrote to memory of 832	1600	msedge.exe	80
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81
PID 1600 wrote to memory of 2536	1600	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://itchio-mirror.cb031a832f44726753d6267436f3b414.r2.cloudflarestorage.com/upload2/game/1186924/4412630?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3edfcce40115d057d0b5606758e7e9ee%2F20240803%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240803T052812Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=2434b0267918b0f733879eddf722c9729ddf0961f0da7fb3ddf85b9ff753547b
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd63973cb8,0x7ffd63973cc8,0x7ffd63973cd8
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7427504940852524974,2243581051604858236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5d010aacc895496aa0cadce0a2748fc4

SHA1
878f3e8fd4e881334afe7d17f953b5755a69e17f

SHA256
d9991b57249bec98c907686c24420cc9ecd02b8fb3eb91691acab968627c4966

SHA512
d891c6d1e4a575a664a1d98ff0aa337aff0fd986f336bf99068b3dab8fb5a76b7805a19cdaf1da577dc6786423727b1ebbbf3b297c2f2f48c114559bac409305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
022faf5c32303f1a7b2c9afa18a8092a

SHA1
065a063ca57aa8ab59bdecf2e093eed4fd8ff040

SHA256
b9d5f07e087a1e82f7cbef1f3ee668c165a870a268cff6a1bb825cd9b6d2bc1f

SHA512
d25a4b6bd0ab2e00908fc47ec25fbe75d717c4bf6c4c6a8024b81f74cd7ed1cab6d380fe86a931524a923c797adb03e0f7804b60c5d7064799ad937c709613aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5920fdd46d55a8f13f1239294f9beeba

SHA1
a1be4b9118ee9df19fd5ff6b64e7605f4986c628

SHA256
134b2b23188ce0c0eadaabe533795013a0a5da965f870fc38bc8994b32f270b5

SHA512
4de78b2c940036f9da5a5c4c4e2140777f8642e50937b43ae7dc1bb94215565292c475db47a192d1a26d28b771e1a8fc50094b42ddcba561b6290ff298708fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4842db3cf80b6ed135bf42413106c417

SHA1
0cc4075736a0e101ed7e572282da3ec0fe9fa3e0

SHA256
d71f36e43462cbd127137e3909f06559ec109282bf0d9441e693c170ad43384c

SHA512
1942f84458b5ee60ed5d7ea1954e618df8eb2cbc3fb5d31550281004b35dc78dc07ea49db643efb5ee80a9e213031f09ccbd9d864528964bd1160b9de0faeb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
400b8305df7e4448c62027fdb109e516

SHA1
d7908eedfe2e45f4d06612bc062b204a773ddd45

SHA256
df071799d2cc959bda6c9ac0a6fe5288a0502723f5851466e232391dbff3dc85

SHA512
9b8c244fa5b26d2c7f7bed060f926d81c516d104e9edb3d1927002067c09043adddeb933f237b69bbc7a56092b0e60d2b85c2f1c1efc91aa9680bec7714586e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58144e.TMP

Filesize
705B

MD5
9dcaa16076fa11bd9c62b9124a277b88

SHA1
aee0da58bba02e99ae038cf7b859d328f8dd7422

SHA256
3394288fa17c540c9efabddf542557db74c8c7f5fcae449bf1e3324deff6423a

SHA512
9ce56555ccde6ca1f0b5940cb05f2b5a7ecab241ee9c08d86d16b839acf27320ed2f6fd29f8798f17b5d923bb312330d9ee8dc2afd09a2be11aa1f9092e20405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67e5e9ac15f3238d9d555f679361f4fe

SHA1
5befddae4d594ca9783795e069d48ae937a9805c

SHA256
17fd6ab7e46b6d8686d409a4c6b6ee1a6414a7e296195cc8ee50adea3a7d3e06

SHA512
5ab53ee7727faaf8895622d99f9428bc20e634162c6827ff131dc3166b2efd305fead38cf8314804f71ae36f01a049eb2979f6fce46f4b79a1784c6934a436d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bca163a9abf06b8aebb788bdc49248ca

SHA1
de16b85deb2508b120caed19b319587b21afa2e8

SHA256
1b422e6ee0a2b5f2c21a8d8ada9b26ed1c30fec133b9752ba48075e79e226837

SHA512
0f0f8a72168d3d9a2c539066500419724c80e57b3d927e46a7ba95036cd9f4bca440c12a96069bf0772bef1ff60e317d183f796c6ee79f4d3258940fd9c0f63f

Download Submit
C:\Users\Admin\Downloads\BonziKill.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit