hxxps://www[.]mediafire[.]com/file/3ygxr7dbj3epxq2/mycp18[.]zip/file

Resubmissions

09-09-2024 03:42

240909-d9j6basflh 3

09-09-2024 03:34

240909-d456lasdka 3

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/3ygxr7dbj3epxq2/mycp18.zip/file

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5628	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
3988	msedge.exe
3988	msedge.exe
5068	identity_helper.exe
5068	identity_helper.exe
5716	msedge.exe
5716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE
5628	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2704	3988	msedge.exe	83
PID 3988 wrote to memory of 2704	3988	msedge.exe	83
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 3180	3988	msedge.exe	84
PID 3988 wrote to memory of 744	3988	msedge.exe	85
PID 3988 wrote to memory of 744	3988	msedge.exe	85
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86
PID 3988 wrote to memory of 3864	3988	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/3ygxr7dbj3epxq2/mycp18.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9c6946f8,0x7ffc9c694708,0x7ffc9c694718
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7400 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10423460409200303289,8698944896226926486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  PID:5736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5712

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Temp1_mycp18.zip\mycp18\livre.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0c8342d5c11d14f3402be5ae1292032d

SHA1
3c8ed22bd96dadbae39d1fd069b296fe7dd97d4c

SHA256
d541c29c0d4d03a6f8b1adfb1092326ebee36dfba32e85fffd95802daaf27984

SHA512
c43e9120642b07e913655a1d01d0a3801cacd6c0398e6e0eea27ab48037dfad86ab7b97ee012e3f5f9644156dd85df1639bfdd08bf8ed2df9348db82232268fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
c21be8b8a83c21b1a54179390dac1391

SHA1
2da816352817defd1c304968be6793acda107c16

SHA256
7c54792a82dda21426252d8a69cccf8e09c1e47427f86c01743616d2fcb99cc7

SHA512
ab39d656d83146a861e96c75b49a26977ec15c7db54f416a22cee303d06c09f7055540fa26b737ae4b2bdecf46dc78afe8b4c9783d841f7d1b74e6abb1519835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
effb88ec0108d4669160601ab9f7169b

SHA1
ae2f008f267f4779cead02b7e63887bf533fa6df

SHA256
46d2381bb8a3769e195f65554a2dd7fe31ae5c896558dcc8273644b9ebe3782f

SHA512
4342fe5baadcb8750d3aa2a5907c3cbe33c939666e94fbfb466a23f9953fb25207a30ba02eb14dd53a96e4ddc456770f7399338fd86d5c786b43e4172ecd6822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2c90870b0da978e84585ac45db0302d

SHA1
12d31dec05683c23c487962b0df51cbb8678adcf

SHA256
44811d777ac0c5a25fc1f6a1ad7b4bd8e136e0b2acc03b2857f0ab685b633405

SHA512
b70e2a2995b789962ccc110f4c4b76c98e18c568d30ee6d14cf584e2c1280bcb88372f7e67b83b577334ebcc7c1e6e04f87a8adf81fcc52c1b47a4e1129dda34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
bd3a7da6a9f4e724efdea75426eae6e1

SHA1
ecaafbde35fcf34b9d21e2ca7a14ae421b876ba9

SHA256
7b4e99b713d524451a5d42ae6a39245c294b6b65959a32da7cf78d3ef2358f1a

SHA512
e7577977b93e8c0cab4780b42de915a891757aeccee4a8c178573df22c04b25cb71a521fee3ff7a61b415cc64723a4f56956d4d654f6cd521ea7def01cccadf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
10eb5c91c83b060f4139ab7dde7601aa

SHA1
e4e0293ebcb0ac2d0095912d10906c23a24c1f2c

SHA256
dd6b180f1ccc78fa6d1e99be0ae9ceba9e969ac923ef5bf33ac854c30031cb00

SHA512
bcdf548a8bf11349f1d1f780b532b158b94f4a3564c74f6fb860de50e6faa8ba46f27915985c18e0c86cc7d64cc15b8c4e2b5ee2ee2b2dbb8a61a295277cdabe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f4ff.TMP

Filesize
2KB

MD5
68fcc46e7b2702b17bb671e41e5f9362

SHA1
de3d4de3f260d5177200eb7f650943e705c1b0eb

SHA256
77d753c938af37ae34a43143febbef5c588183bcc7b1d1034aa3dbe6ce5e8866

SHA512
6edd887f3b06c7edb478210b77295432102f231b3b1ba67f70a98bb3998963b093ce2d23eee17b82f9a1c81d392e2cb148a2820c615eb67bdcde52f6106e3274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
497c4b4e9d7f4c18c218a74129097215

SHA1
7d04b03d929f882d26e66c1001a053f9ac2fed8d

SHA256
db175e4a065e1937b5ff090fedc031d271486d0cee27ff75bff91cb81d9bca24

SHA512
2626fbf85768906cf2f3627b8767c4753f5b90b98178610ea1e078c101c959f3fae4f507ec7f162d23fd49b5a0a52ec1d491127bf88d87c234d400720110c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c6803bb88d2cbf1717d7aa97e18b2ef0

SHA1
f1147c162523741e648323e1d8b9d6fd8e0cdd52

SHA256
ba9bb1023a3b7f4c064756218045ab9a8fbe9dd0e08244795589ef955da8b79e

SHA512
6f41e3f1b5198bba2ed48b7c09c3b0c6967743c86cc74dd0293792baf8ee65a859aaf05daf3bdcf89edc13b633d180df2552ca91f5b68e6e0c8b20b26a849802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9739a5b9295fa0eeac7e56d5ad0716ae

SHA1
0a31ac2c48e4a5e6913691b5eda19ba99da6172c

SHA256
86d805e512603d56ca3191e325a77a566cb25bc778f099842988044292ac4c29

SHA512
f75e881b3c3e83140f4f31be67c36095cfefaeea7393a7858d384f28c4855c8357f424f0126efc8ea6cf5084b15909e17e5193174cd479d63313de2836943ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
16f556abd18a712b87c8b8da064d650d

SHA1
686156c1f14f3013237a308d4bc2ce6637e53611

SHA256
38457176df0365f097a4123691ef19e47f1307e04a14ebcf989269202ad0d431

SHA512
6912b3e503dc0c1401efd99278b88aea348e3be3b9ddb97fe74a12d612f3abc7089f1c65d4981dbb97cd4aeb1cdd92a22e5d7e139e1472347698dcb86e049f83

Download Submit
C:\Users\Admin\Downloads\mycp18.zip

Filesize
7KB

MD5
7cf83abdd7c91ab5f647c3c40ec9d750

SHA1
0c65b820450172bbad4a8fd0f82687d0313b39a4

SHA256
75fb965061d9187b6dcdcf56244095435196cc8dea19f90f6cc3f4f54bcad4bf

SHA512
7376373934190f17ee0a9c5db068e32ead92eace8d88a12caf6ac23212e37bdc8642c7273df1ed39d75646a65f0f8c83d8af22854e4975da1372dc87b67ceb36

Download Submit
memory/5628-322-0x00007FFC6ADF0000-0x00007FFC6AE00000-memory.dmp

Filesize
64KB

Download
memory/5628-324-0x00007FFC6ADF0000-0x00007FFC6AE00000-memory.dmp

Filesize
64KB

Download
memory/5628-323-0x00007FFC6ADF0000-0x00007FFC6AE00000-memory.dmp

Filesize
64KB

Download
memory/5628-325-0x00007FFC6ADF0000-0x00007FFC6AE00000-memory.dmp

Filesize
64KB

Download
memory/5628-326-0x00007FFC6ADF0000-0x00007FFC6AE00000-memory.dmp

Filesize
64KB

Download
memory/5628-332-0x00007FFC68B80000-0x00007FFC68B90000-memory.dmp

Filesize
64KB

Download
memory/5628-333-0x00007FFC68B80000-0x00007FFC68B90000-memory.dmp

Filesize
64KB

Download