8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009

Resubmissions

10-08-2024 06:53

240810-hnsmsatfrf 6

10-08-2024 06:49

10-08-2024 06:46

10-08-2024 06:41

10-08-2024 06:38

10-08-2024 06:35

Analysis

max time kernel
601s
max time network
446s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Module.dll
Size

1.3MB
MD5

157fd035b2a344a94166d7db3756df0e
SHA1

f221d28c1deb80b4e8d9201226435aefce6b0f75
SHA256

8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009
SHA512

fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d
SSDEEP

24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
2	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

MiniSearchHost.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{C5C26365-0ED2-492C-A6CA-6D7C9983EFFC}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 851948.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Walker.com:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
1740	msedge.exe
1740	msedge.exe
4952	msedge.exe
4952	msedge.exe
1636	msedge.exe
1636	msedge.exe
4720	identity_helper.exe
4720	identity_helper.exe
4648	msedge.exe
4648	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid	Process
4764	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1740 wrote to memory of 4876	1740	msedge.exe	88
PID 1740 wrote to memory of 4876	1740	msedge.exe	88
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 644	1740	msedge.exe	90
PID 1740 wrote to memory of 4952	1740	msedge.exe	91
PID 1740 wrote to memory of 4952	1740	msedge.exe	91
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92
PID 1740 wrote to memory of 428	1740	msedge.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Module.dll,#1
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9946e3cb8,0x7ff9946e3cc8,0x7ff9946e3cd8
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,3517434569130213349,13763086550692616845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4ce8e624d1b085d1839f453085ac86d2

SHA1
8a356b8e046d92be4ba7744d8544e9b65573b325

SHA256
e4937f28e04779431e78b3528f777c1f68d9fa3a12861ba26176ddc503ef7e6b

SHA512
581607ada9ab628a29893c0b284b8d2469edf0547f80fb1dbe4fc43da06d331553465298d905d7f23801549f34685e605a045a15fd9b87beaf75a62e26eed2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
08ab035199dd9da9bb69c1b5b8965412

SHA1
284f938a87b0e525d8c6842ff2f87eb6bbb1716e

SHA256
d6f41fff0e0544c21462596e3abbf57622a117e7f536c9aa155dd32477088171

SHA512
338818f5cd3bde7d62eaab9011318d0de8d5038cc884c2f6aca0ae188a9f25017ec3adae46dd9d9bb8d84b47561eb0a5f46e5fdcbd80e93508a0f99114a7aefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8a37fca2fd3bf9023f114bfa1ebb63bd

SHA1
a8ada0e7cb57ec25317e223ca57ada424a5f3e42

SHA256
392b2562f81783960e464ca1d2700c77709b5b9f6490281155a6f24a25d293c0

SHA512
9e0c0a6c6dbd3f81289a6d692c81d26a45853f84173e26e8d62110d7ddab54fea7c9692ef7e6a784b2416ec6172307563ce57dc566bd18e3a22af5486f9e6168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
713B

MD5
883e131bfcb45881826e96271e1d76b9

SHA1
30aab60fcfd1fdbaa09ec26baa1f56732e75e201

SHA256
cfbe4839e20e084046d15e92e8a00ca82c54eb114c141865e18964ae2ceb349c

SHA512
cb2366efad161dd05bb7036bd5c672f0b4b2e54384735fe41b093e3005746d751a0d2b85c2c49109959575c8871ff213c321848c31da032dec01111d0f6cffdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3be4d4f079ad19be8a5ed7a28025201

SHA1
6e1ccd385d2fd27681155f760f77efeb2ba94acc

SHA256
3f5a433924ddeb444b46b0c46537bb65fd5bb26c1cc445f919cb9f0bcf5330a4

SHA512
4aec112a9f92ba16958ced6ab16dc1a2069131de6cdb259991b35463f45c0c36ecdbe8bfe0a1c8afb4f101b3feeb7eb51ef53c813a0932eb38385086dcc9bca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
692d253c30eb7b3adcbc8d2afeb588d8

SHA1
413d311b49eabc90c77275a07033254da94b2ecb

SHA256
d6edc6a06f7b2e1532ac7480c598bf2fe6aa417f897be23669f82afb121c7346

SHA512
0cc0a3cbf3ee79fd12a5f8dbf3e3d7b7a2f303c461f7ed40ee51e89a82e97f0b5217d799b7498a7d88fe058d5f41091743eb4b00469385d0c8617ed56e71a3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c416fd1e1377ca123ad68b83f5fa8eb7

SHA1
3385b61c96012f7e4a38fe3d3da083a8bfea5f8e

SHA256
ab069d15bb6a0ecffddaf54b6aa22acac5ee1225dc19b5f16a37a69dc3b395f2

SHA512
e9fc5fe3d14840144c9d8ecdbb185eb7947e9834bb6798e34e5a2da40588512d81b52b6d6efd0a4fa98f7d4e20749367fe055be0de7df9feb29e36384cb548bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72441d18fb5bb1eb82cc096778b22a4b

SHA1
905f1197dff693898f56d728e2455a3ef8a1143a

SHA256
a4efe55986d3b94bcc1230241f12c88fb17e7551a9e97618f3b9fd89cfac3104

SHA512
ad3e8201e0b2f9f044585c836b95d60b23f682d9878df8b0786c866d1520cdf3a06cc354a90e8c8265be7c7d793750b50f66f7d31341e6aded86a4ce1dc94a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c77f3cfa2c60255e1a1469c5b7bd7ae

SHA1
d58e1cefe1c1aa227fdcdab46c1efffcb53bec74

SHA256
3efb3ed4e72ff2c330d4cd6697fe34cb9742ff8ab17f8ca894873e09696857c7

SHA512
46a997f924480bd1a7174b0ef71f23b684ff901f59720e39b83b54523bd9dd09cc5d2bb5bb62099074ce5e40c06201f18369d2c6663949dd82ab2b355d86ec80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26171187d490e2d5aa98eb8a729a3b61

SHA1
3d34dc86b63322a25f785feeb64251f12998c2a0

SHA256
bf861376e1cb62c0316ec4a7c4af3c02d76af275399c9519da267bd2ef41dc5d

SHA512
c87c1f1f02faf452c7c1c0ef9ce716fb92cdb7ff1640be33deba0e11238bfbdddc6e4b6e88602dfdd4f4dd251793ea9d06b8ba417d4984b3003cd6566b4d82aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3dc62177e96ecb2c6da060d807193496

SHA1
cb3fc3cd53fb08ff179402e7956b7b4c8d91fcce

SHA256
d447c968156d6576df47b0de99b4b4a2256edbbb8280528d4928e74f06584940

SHA512
d544b19b8bca63971fca3bb2be15a53af8a982bce2bb51c2d9ca020a6d81a4e0b918e1dc0438eb0981eccf84e99edcc268b135c7f3670308fc56d096dbc6e52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58144e.TMP

Filesize
538B

MD5
f004397e1b7a9896dd68fe6465e8bea1

SHA1
5c2d4d01c840a8eaa44015b3e5c9b82d5421bcb9

SHA256
75e22f129a4b8470ee8e5a8bca868327e241fc31dcb3df852c76cb7a1242992b

SHA512
3b66efbbdc315eb8a8750d302047ea0a59dfd801d8afda05c5042ecb1de1333dbf8d53e1b67fdaaa1563bf13da8ac969b44debacd4cf6f05de7e9da038dec620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88996f8b564c8c91f669b8ed6419624c

SHA1
ccc54cfa817a325dad3cac7bee7db82476d94405

SHA256
f78be8c7fe8b90dc990177fb6f357a67854444785cf9d031192a15790a9bcddc

SHA512
b3af4baa1d17f66563614cc6fd7ac07625d1b23d827c51204df99d97d4f3cee7eafc1aba7b45e69f3393f1f2cf2704b789af73adc8afab0c359d193ce39b9dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5351d3c845420049247976bd13f7f803

SHA1
a8857664e1fceca8279d7e052696c9225c8fd371

SHA256
eb85a838db807b44e55c2e03eb51091c76278f1b5940a5c0083e887508cf9453

SHA512
fec3743b1b8c94495873d83febb826f403163d8eb05a0e0265a17671f389cba380e66ac7e6879addd7b836e2d6cf7400e8bee1e92d58adce8498c1ca98b07113

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2bf8b49ae726b6251ed4b98c8bde132e

SHA1
5e5b4f295fec6133c97b3a2b9b313e1504177e6b

SHA256
39e0a94897e8550f2f35ea74bf31a0c49173ce6586a1a89465e771302714e83b

SHA512
0d1d7752934de65768c01269eee5b96cbb2aba4a56a750bf5df7da55f14784e0513d642aad8e01c2fc47cd7c106f86d6b277e8aee3744221e10468d38a9d8844

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d12e797f18cb79137ad12b5e5139e1b8

SHA1
f15fb437b1be86b714e278ce927b315fa0e16ea3

SHA256
afb0f4a0229174f8118ab512b569fdb9eb3ebb0389cb11c9f4a0a2aa88ec258b

SHA512
f6e8f99bcd0ecff7683c8e56fa2ffa3fdff16d6c17a2066b36bc3d78e2838130b5b23059a239b29a7ebdd0b5ca36b3f9cf388945bf1aad50a3f91cb8091223cd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 851948.crdownload

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\Walker.com:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_1740_JESRFHAAERODFBWB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit