f26a4285c19d110ea7b26951b79528a4c3e18ee32e272d71a1d3690cefd133dd

Resubmissions

22/11/2024, 18:49

241122-xgngtawmfx 10

22/11/2024, 18:38

241122-xaj6tasjak 8

22/11/2024, 15:49

241122-s9rmqazlen 8

22/11/2024, 15:46

241122-s738qstmhx 8

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/11/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

d9f36e39a89710a3791fdda6716be364
SHA1

06856b45244948129e9f7bf56d544c3b9e4f2ebe
SHA256

f26a4285c19d110ea7b26951b79528a4c3e18ee32e272d71a1d3690cefd133dd
SHA512

621eb4ccbd8044910a00db6bb6e1d594dcbd1198a60b77c8e13a66d1ef34b97536094b9c58521c663670ff02b740e5223f1e17917811b0fcac6f42780a277575
SSDEEP

384:5gGl+1ocy4B4lbGa0MvhpNKtxMLltAlObz6r0sZrfx1xCejiw:5Q1ocy4qEaHJpNmxmlTbz6r0sZLfxPiw

Score

8^/10

defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
4972	tor-browser-windows-x86_64-portable-14.0.2.exe

Loads dropped DLL 3 IoCs

pid	Process
4972	tor-browser-windows-x86_64-portable-14.0.2.exe
4972	tor-browser-windows-x86_64-portable-14.0.2.exe
4972	tor-browser-windows-x86_64-portable-14.0.2.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 973980.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1624	msedge.exe
1624	msedge.exe
4972	msedge.exe
4972	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe
648	msedge.exe
648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 844	1624	msedge.exe	77
PID 1624 wrote to memory of 844	1624	msedge.exe	77
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 3012	1624	msedge.exe	78
PID 1624 wrote to memory of 1120	1624	msedge.exe	79
PID 1624 wrote to memory of 1120	1624	msedge.exe	79
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80
PID 1624 wrote to memory of 3592	1624	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefe1d3cb8,0x7ffefe1d3cc8,0x7ffefe1d3cd8
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,14971918817700537394,12643341833068882508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2de46a4d-165a-4920-8d0d-e89815c92106.tmp

Filesize
409B

MD5
12dba3350c494136ebaa3db26ef4f6e8

SHA1
96f52d10bf3e4f590a109e73cb1265c4a09c4ef0

SHA256
53f78529f82f564a4720894feff1c55e2483e550c719c20b2cf169faef51df42

SHA512
3e45d767b06dd0c404f9cf746f1dfd29872a5a7d6646286482086e67d3a1819aa7ea668ffc2ea7e26e5e29ae4f17c4f0bcbe1879a89c37932a393b14d6aca43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
34dda33e3732d30e024702cc9c1e5d04

SHA1
f2f62c58e654f262668669d9491e5a7ae679762e

SHA256
04bcbdfc392b06b58476e53911fae28242e9f4a7b8e7fa9e63702ef32a827ce3

SHA512
ff66cc8321aab4de9c78d8f079b75dd3f7e9b8778c53716483a9ae05855737bd57e0d1ee973cd59905408e5e5d43c356792000d5fe3a3823470a63a8793700d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1fe59a4d615645df62a32e3045edfed3

SHA1
70d79bf71acf50ab3c0ddf5cd420b27c8f7e6704

SHA256
bae7ccfaa777b6abf897842c75f457ffcf11d3cf0a0fd968c702b11b3f98be93

SHA512
c1088bf55904a9f6ab25610a19ded1a8e878ec1c03af68194148f1cd3e6f69e58b4b637d618b496947c568d929b81956fceb296c1793581143a23f96ddfe0eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e63e222da01c4bceef330be44db3a4ce

SHA1
9ad7b02438554a424e4ab90067460858b8188cf1

SHA256
5bbf5e324b9c88967ea9d108c078c5812fe547fa2bd64baf453d2fd2fc75f1e3

SHA512
60f0cf2df85cc9406b133f41a72c85f8e7825266303697ad00b25c8a6c35df88562703def150133420cf2c56c38380696b0a8305315351d3bfc276762462e58f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fc365f3e3ef285d75d15189165b052b

SHA1
7429a00d77797e86b29c22371713d6427e1e28f9

SHA256
74d92100d1556526c7cdea39f6da6fbb5956ad9c59efdfe6be00943c53696d5c

SHA512
d2dc5a955abd958b39d5f7320d440e848c6e8de62b575e5e088f724127c75fdd1100c0c43a91c2be4d105dc09189134f2644f204a04c070e4fbe26ea366abc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df75fe18f8cef53a4cd7387afa5c62a4

SHA1
a4e9af04223a8ae5c02b423e301903aacf7c5693

SHA256
81de7ca80ed0668505532ae109b8d3f1d6a54b1be4f72f04de45e39ae3f56444

SHA512
fe08857587c2f2662c26fa2bc5d07676d8d324c2ffe7135b77323b743a38a3b18f8fb326be6e6373b0dbec90095b06ad18858343dfa195ca01972799d14c67ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81239ce390ed74049d9f628f23338355

SHA1
72ce94a0fb1b530f8a3353fbd1ee2ccf2445fab6

SHA256
8d288d0c2320747e110e402116bae71473eaeefbdec79a2a2d8b80ce792a61d7

SHA512
f5d1b5f2d2203477f80f1109e31ba0065b8b49924387d6dcfa71d8f667b922beada50a946bb4281000dd186677e1ef3e9448874949cce239ab2210b54a1327df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
710a57dfebf607739ceb9cddd76ffd83

SHA1
3642c45ef7a75347f20301d993da1b2cccf5410d

SHA256
695da1e5907ef506dc688f073da12d5b1b29f66edc28112690bf3555e9cf4734

SHA512
0f3ba383b366b20f45047c65845414984202ef93f6b7f70a60a65af60e6ddb72325415cef86340cbc801653cdb87c609574edd978f4111384f325f3abffd29d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58313c.TMP

Filesize
538B

MD5
6dbd5d50206c5df6d30bf5ecb0f6cc27

SHA1
dd6e3fede35a32fd975c39d139088bf6afccbace

SHA256
535f8ee55c4e91dfd6f90d767a7d7ad8a069457025070bce9714f499dae5ef4c

SHA512
dcaa7e4528e7dfc51c430179e6b16da0d5e9072e25c4956927a81ee1e9d1f8a351c38df35621b3d79a17e3d6579e29abf5023a0384b4c630e77d04373afd5012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\afd4de2a-b776-4090-94d2-2f7d69a039b8.tmp

Filesize
706B

MD5
acc76487d4ae3f902004618f1d5269a7

SHA1
c9d7523bd2418275f125ce63d017809f2859915b

SHA256
e43d88caea3f7c2a570b5595c7d2b6e894fb1f08b393c4acb7f8c3d6bd21d9b5

SHA512
6dffd23e9e59b1fee4c4725b6409e1fbe0f2621e4b5d5fc334ffc43124bcaa060928727d7816c4efe2e7f3ad93fbd17c331b743959069a0c72924e2768d3190b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93906fd44c18756cef06c5fe60d3d187

SHA1
03fd34b39c03261e3d0cd6500622f62576c7ebb3

SHA256
2a0ff0cf2959729dae14e11c2e37e2587a3b17088f14289443f6a558825dac5a

SHA512
15fb154ce86068bcd9d8940cca5fd03bf6ef763b55b4a389c6d81b57eb872a476a59cc79719109def54b2994351c43a4ccefca481ffc74913e25ac09e3865dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
31911dd254189cd8ac5b929095bd3603

SHA1
24ce79197044520b5ceb10113915ece90a5fca8d

SHA256
6e8c79c9e992bc2fe97deba3d5ae020fa2cabc5372233a4ab11c8ccdc3f520be

SHA512
3e694edd59cd2aeb4b0ba8a7c340ea1e8743d3e74d0de8b68896ae68de96b84a5e05cd785adce85b97d95dba573c7a2bc7a01303d83f989094351414e29e2702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e73c7f0d9c69cbe4b63c7f6b94b42a4

SHA1
e49c32c18f100d14f7dc4e9b73eb0b1297b4ac58

SHA256
befa8a2e1e013d510d1a884b3ff108ce9a2ea0a95bd22666b06d44aa8d289117

SHA512
2db32b94b923b5619173e2780b44c8cc82880b537a575085d995e2f6cf13192c6c10acce2152f41f8394a813116287e5c24b8c61339d7fef906594aa50bacb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF72E.tmp\LangDLL.dll

Filesize
7KB

MD5
9888fb6b91a680305b2a3e7b71d6561d

SHA1
4a7935da38f88e9f74f425078ee39eb6269c4e63

SHA256
81726604d47b192620bcf90d6e42ba8ee8b4c54935b0081655e08247d6b6c675

SHA512
f50755e5624bfc3a60a23a7dda012509c1e31d9772d6a0ccaca88e32ae8d4602e10e38003d78b1626464502db7ea7c47d772efb7b3ea7c3e2238bf3b9809f833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF72E.tmp\System.dll

Filesize
24KB

MD5
d997606c77e880be2744c44128843d60

SHA1
92bb9003dc14ae03963f503e82a668877ca4295f

SHA256
abb2613ff851b2cbfb61bf97e4eef9d4912abcb46e04774ad84812ab75d4dde9

SHA512
714d7ce786e9fbb6f0d0e537a146a3a24aa79089669dd168b7c110dfba667fa7afb794b3dd2b93fa76e1d1771af3347a0f568cbb0fbcc8d9755de9e6e54382b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF72E.tmp\nsDialogs.dll

Filesize
13KB

MD5
bd0d7a73d0fc619e280372587e9e3115

SHA1
0cde473dda5d4fda8190e6460f3229cae2571af5

SHA256
c7f2afe3a2424e71563e69d862dc027d299d84fba4ac1ba11e593361daec0a80

SHA512
914983bfa336f9ea019bf5dc9ee403af56a6c7c1d88b8092609e4026a3377daa6ef9a8e51a93537f6769ae165c264763645a363fb6a89f8689f59caf985c18b2

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.2.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit