hxxps://3[.]26[.]166[.]171/

Resubmissions

02-10-2024 02:10

241002-cl72sswbjg 3

02-10-2024 01:43

241002-b5cvbs1dkj 10

02-10-2024 01:36

241002-b1czjavaqg 8

Analysis

max time kernel
298s
max time network
288s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://3.26.166.171/

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
4388	msedge.exe
4388	msedge.exe
4476	identity_helper.exe
4476	identity_helper.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
5092	msedge.exe
5092	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2280	4388	msedge.exe	82
PID 4388 wrote to memory of 2280	4388	msedge.exe	82
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 3480	4388	msedge.exe	83
PID 4388 wrote to memory of 1052	4388	msedge.exe	84
PID 4388 wrote to memory of 1052	4388	msedge.exe	84
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85
PID 4388 wrote to memory of 4428	4388	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://3.26.166.171/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffead0b46f8,0x7ffead0b4708,0x7ffead0b4718
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14298384143552951948,18062364660833713642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3780

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:368

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f7a7d8947302aab5dde3955bdacf17c6

SHA1
b8ce66c5c0dd79b2a5e60467bdd8799a29c2d1a6

SHA256
e1967b20462275099b97d67f23dd5c087372ed6812a7f9a8355e5ed577af80c9

SHA512
a2cf7259764ce61a0587ef1ac0744ff31628307e93ce30b508691ee7b012025a5dbf2b2cd62403998177502a5a8345df8e4079f43c806eb26985d6bd6308e9eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
380B

MD5
767028abe81c1798c6e8d1943e1ad011

SHA1
df29ae3c8f534ef683ce2de49c7057e5deb2113d

SHA256
a252591e0c27d5f2892232835bf0fc9a95f79cb81be56592c07f50a48987c387

SHA512
e3c2f7e47124bf31adf938b498f5551bb83e685eb1ca5aa5e4a222047e36f389ff8032ce94f027b6ab46f039eea6412b073f73e8f995fc53cd0e228ce5b99680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
450B

MD5
81dbf7d386fc88171570369361501663

SHA1
5ef8c190b531f23e90b66012efaf9a5cd2234966

SHA256
1c664c0d85f0a9304a4a00739bfcd7736c3aa434ef76c41ba4c972b42064aa28

SHA512
e0d81454e71d36b2ce02225caa4e14dbad716a013de079cf230ad9e5f45d8c97ef250a4a9243a817efcbbfea3231fd60a3a351eccede43b51d9f183b736ac972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
380B

MD5
45717eef00bfdff27deed94b7ed0b330

SHA1
2bfb50565227ed37da3c9ce70e8649270987737c

SHA256
f2c7c1d806c21bc1ba2615ebfc8e04c1e3d929aa9d46d0146c8bac714aa6526d

SHA512
a6a5dc72ffa0123dbade4d9ce2806bc5d5d8f0791d6a5bf7a3b362d02b3c403d1a510044e5d87bf7409af457a78a94946b655277fc571db0d8138b80886dca70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1314d918eda31a0308265b98428c9d2c

SHA1
e912b6588b7eaabf0d3e0013385b71e0b2bd7811

SHA256
25ea9e25d00f1b749a8e1de06ec19c4455921ac9b7fe42fde8a305a710db4787

SHA512
1e3451f67de01392e66c48e91d94d36f4421f460421443ee5f189b6e7fae1cac2bb3c1f4d7366eaf0e3768bffd361cfbcf835b60bdced12f9147fe98eb5a48b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0af678c2968350c59fd8d81ca9fd5801

SHA1
68ddac378e9e95060318764376286f8d3f3ae69d

SHA256
2906db60a27737bea995d99321dce2ed3c70e7623730d3ca4d8203174e662389

SHA512
0941dc7c4257e7d1319b6b077fa62bd451bd3e2fde3cc238bce9917739cdd1111805acfd0bb9b4f5c0b3818c9b1180bf5e4dee542c41a6ef7d8045132ffb11d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d7080b22f3fffe7294d3812d1236ce9

SHA1
e013cc5662d2014674aa2a623439b8f84e57b13a

SHA256
30594d17c6c7d00be3096ae12b3cc80959969185590be0a4f649be2ce33bb0c1

SHA512
36c76150dc4bc2a0d0d1a11d36fbbfc7f4c9f0c85cfae826c34c6d6d4ffe11ebcd273be55ceb1dfc87763193b61ff61ff185584a80eefb8d50fcf4b81544b0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e8b101177a91bc732b84c56a09c997c

SHA1
7dbc92df039ea6a92963072d4dcf8429ac567230

SHA256
a9732f16972a2eae8651322b87a4eb83d072e49b06285317d4c288baf5d64b87

SHA512
50cda728c3e59e88888201ec58462306d16ca365415e1d7c65dbbf16257943bfc942cf0d3412929a027b9a5b5c53bec67011c77f8affd9276e25f11c6a04bc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0431a452b700cf6884b89c94b5ed5807

SHA1
9672d0e484e46c3b87eef163a0bba353d14e7287

SHA256
b02cfdb02690696517569b221d2ec689490685f9a99845c86fd0b03fadd9fa2b

SHA512
8fad4b3a99cbe8ce67eeeb54f520a66427a82d32ee5a9e3f3e9e409192571252e3d5dc75b8ae6e82ae0ae81109c120c0098234c1e005e79358a4b6a392fac3d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e5b1bddb80ca36e3d0443b0259c54f27

SHA1
89db021557ea0b1ed62e2919f95c6b8d0d1d3f05

SHA256
f914e13113a82ba52e2d092dcf7257bd00c858e45956b78aa0a01af78eedadfd

SHA512
602cf5db5d45bb65b9d96ab1367e29b57c03a3935304ae25caf2d5756631b485070c7b0593283c89f719336402386d646d76c46cc98951255d03a81035bccbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afca3a37f92b139bae018dceaa866652

SHA1
bc69d2b42e1c6b167f5125b3bb0982b341ed9b9c

SHA256
1940f1e370903834b71746aa0ff887bc39b3456a291b7914eb7c45fc335edc08

SHA512
ae8804a6790906bfe3d5f626997dcc2fc624a3844e73baa8e05ac153aba2bf914749aa77e3ed999385ace211bfef09e92406ace231ea8c9cf9e8453bc165ab34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a1b32c403b2222f27e9275037593f14

SHA1
c96bcc098b338b2016a8d6f39a6e6cc06bc9c051

SHA256
4c94efdc801af37283be44b892e40cd0a137a61feb27ad840756cf1eb39c20d1

SHA512
4f811499b1897cd5899e49a31c4f68b07698261d2619fe6e871d9ca8a10ea939ee590b9a9e385e13ca278dbe884149d8138007c5580371a3e365191350f35543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8d5f4ef444013a491fec25f8a2fe5d0

SHA1
6ac7f11da0c4cf751a13a37729960ee8687ec319

SHA256
665eacf27fb0ca6371d112d035f8d13c47d0c4bd18141344f7ac7c8bd13abd96

SHA512
7ab7aa5720e543cb69f6d9aae1e12c877fd20baafa388059ef4303d8f8b2c1a68adb1267bce7e0cd416e95bc1cd4118d5647bbb8031b8e4652a73bac73bc8c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c03a8bcd1f80114fdc53321f42142ba

SHA1
076511f75cd6944b1caa73108538168922161975

SHA256
d7b2363e3c442c77defe0bead6280310ca19014524871558596dd5b12e5be850

SHA512
d996b5432521a44596bf6229471599b3558e85872e2b05d6630f9107d131e7ece434738262ea2386daf355666d0f87592df494dbff88b35aa7d9cd14ca038893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c55fd9027dc8e14df696b61f362dbdc

SHA1
ff15959ac1f778b5f5f5cc9616bc0fcc411128db

SHA256
c824d8e068794db44beab12985d8b43af95309179bf4bb25728a25750993fcea

SHA512
038a7f3a3b44488a6feecd1d04fbccac276a5ec4b21002acbdd7081807df09af598fddf1767aab797ff2a3734a362ae705476a983d8c0646aef7003ee75ad240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a709ad3a9485aaffd86dd57b0d2c491

SHA1
72ff1eb5b774477231e0b645f4d62515167ed960

SHA256
763ca6f88eb48ae72346d5cd2199b1bf51ee7c12787aa99fb567b87fbb46de80

SHA512
31a4b2478668831017876eda3617c73ffdeba6b4b8ffd6b612ac554d07118be78edcfed28e705e613896e126d5f8ba49c816317b04b5925947786af5c6ce5736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e83a9fda31c43ac10732dc4d1173d41a

SHA1
7688dbf3e4523af39fce26fb560b168cfd7d8de9

SHA256
a2a3550c0cf33e3fe6d220907d4a339b44ed174e353c80d9daa7d913b3acf31d

SHA512
d992a66b3796bac774314d82cd412580279f53a36b74965bbdb23621ae18ec6f122dcf37476edc74767acaef24c37460d2d9b485c4df1f0902ed428bd5e8de66

Download Submit
C:\Users\Admin\Downloads\download

Filesize
279KB

MD5
4b7c22ae2930b79c120ca58315b0c3e2

SHA1
04c6a2cdccd3cc37faefd8c9d6d1792e326e8c0f

SHA256
5d9570f0a7a704c46cca2266fe535d79bc6dcbaa73095e5fefe390d9340f32c5

SHA512
9e70ea309a907c676a1a829c300fea2176fb13f00e109e0366b7724382b3b0e31ba7196e66c62c2a0a40fbbb03eea3e344b226c457f86392b4997c3ebd5c802f

Download Submit
C:\Users\Admin\Downloads\recaptcha-verify

Filesize
3KB

MD5
599315667196d4ef33021b817a49b6f0

SHA1
cc80f15d5ad87c27e5683f8932160ba7c3171c35

SHA256
081540c8078eac132d739fba726e509ff7f7d081bf3c342a966c5a6b48a5cb63

SHA512
3e589def530012215243306c2e28decdc6de26b1c2fe515ad728bacd2c3648a7c5cf5265da80dc78e99de93ee67a1dba4dbe1190436f55bba49abe731237994f

Download Submit