8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Resubmissions

02-01-2025 17:33

250102-v5bf2ssmhp 7

02-01-2025 16:30

250102-tz5l9s1leq 8

Analysis

max time kernel
148s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper (1).exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2056	BootstrapperV2.11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
9	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3276	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{A6D996F8-3090-470E-A001-03674F8E6EE8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2056	BootstrapperV2.11.exe
1896	msedge.exe
1896	msedge.exe
2120	msedge.exe
2120	msedge.exe
4084	msedge.exe
4084	msedge.exe
2420	msedge.exe
2420	msedge.exe
1196	identity_helper.exe
1196	identity_helper.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeDebugPrivilege	4172	Bootstrapper (1).exe
Token: SeDebugPrivilege	2056	BootstrapperV2.11.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 728	4172	Bootstrapper (1).exe	79
PID 4172 wrote to memory of 728	4172	Bootstrapper (1).exe	79
PID 728 wrote to memory of 3276	728	cmd.exe	81
PID 728 wrote to memory of 3276	728	cmd.exe	81
PID 4172 wrote to memory of 4816	4172	Bootstrapper (1).exe	82
PID 4172 wrote to memory of 4816	4172	Bootstrapper (1).exe	82
PID 4816 wrote to memory of 3144	4816	cmd.exe	84
PID 4816 wrote to memory of 3144	4816	cmd.exe	84
PID 4172 wrote to memory of 2056	4172	Bootstrapper (1).exe	86
PID 4172 wrote to memory of 2056	4172	Bootstrapper (1).exe	86
PID 2056 wrote to memory of 2120	2056	BootstrapperV2.11.exe	87
PID 2056 wrote to memory of 2120	2056	BootstrapperV2.11.exe	87
PID 2120 wrote to memory of 448	2120	msedge.exe	88
PID 2120 wrote to memory of 448	2120	msedge.exe	88
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1488	2120	msedge.exe	89
PID 2120 wrote to memory of 1896	2120	msedge.exe	90
PID 2120 wrote to memory of 1896	2120	msedge.exe	90
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91
PID 2120 wrote to memory of 4056	2120	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3276
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.11.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe" --isUpdate true
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/8PgspRYAQu
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96eaa3cb8,0x7ff96eaa3cc8,0x7ff96eaa3cd8
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:1488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:2244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
      4⤵
      PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4052 /prefetch:8
      4⤵
      PID:5000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4628 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
      4⤵
      PID:3196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,18198870701137732763,14421748168098399671,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
bc826122dc19f58bf98460a79b05f1a0

SHA1
5319051f0bf63ce8f69c3617c230332826645152

SHA256
2827b384d388215e0bb4197ce2396fe3e72ac68765af85d4918788f9f2a57a05

SHA512
ddca191f53c1c755440e832139e7d0de2f0ebe3501299e1332f2dce434ac1b988095869133b5a0fd59e0794a9185a2507dd2fc52012f60f5cd0ffe2a106aabfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
468B

MD5
62f83140557564aab3606b9bf7b89eeb

SHA1
1512f0baf5b7f4c7b6a6e4d8fce9937c520c6904

SHA256
96e1514b15b561faeccf9ba07ee46acb9a09a3cf895871362c8e708701e1e11a

SHA512
7306895bd60baf902c8dff9d5668228c59eb32cc32febb44e8ef33f815cb4ac51d97306db98c8c01009d4820e809a65eba6898e9c2422c183d7c11fe26a363e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ab3d7ac08020e0b3a7a4587a064f68e

SHA1
4e393886f6124f88564297a04e07a881c509857c

SHA256
2dabdc8d15899f752119d612e642defec6cbaf255b9745499b210bf12878ef8f

SHA512
0ea1ec3ad1013962f129debfa600f7e8ceecb06c68ef107662653a09c7088963a0c01bb0791f173bbcea860cba67a579f4262acac6df5468d805e2dfd1a4a633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b8065013417dc134182224139ac7559

SHA1
9bdade57211ec2897b4350613c31c4a8737153ab

SHA256
099199bbe8a18e17ca7e8769e72f914bc5a61cbaf2782aea8a03a8bbcf0eb065

SHA512
4730516e19734ad57ddda38a1ab8c066b28cb61d674bbcd276ccba5b4272e6f4a4a797d8034ec4b30ee75642357fa02586a361335f33d1204ae116cd6687a001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dbdde15aec22a05350490d3180567a84

SHA1
cb08b6f4a187f0070a24004d416d2cf48af36a29

SHA256
787d4688ed95753c296530243732405548c5402e4e93a0454792a0f5f1c20e16

SHA512
7e48053dbb3366028a688fc5adaafd266fbadcb0c5bafc32142a202584be6635d62bd0a34ade27f6dd18623b15f8763a8296c0e97835317bf8e7aafd60fade10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2a9a1faff35b1de54aa1c82ff1940487

SHA1
2b781391adfbfc91300bb41bd4f51046f62d54cd

SHA256
91d840dbb030e03192f9711db9d81ca2dca33b1fbb79ae3a4f8f325ac92ddc70

SHA512
79c72887e90ac8291637a84bc79d3be606e097de7da64b4050b5e2d8933f7202f8bc306239b519a12df9d31cc6826492a1c33a9894d4e5b4da35b82530de71ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.11.exe

Filesize
2.9MB

MD5
6ba3f4d057686fee3f1f792df10d5869

SHA1
ade4a1ada7886ca1bd4c8d7d1d3cba62f9e018a1

SHA256
1aeba3aa813d2a63819a2051ff3a657cea022d4df5e6a6f88abe947d1db00177

SHA512
79e93fba04fbdcad41b2b45462ee4994e08d8a63eee9fad2713a2b886d8fb4f697c489150466c883c3b0e039b4922b709fd1dbd4bc882cb16b9d9efc139a2285

Download Submit
memory/2056-26-0x000001B5E8490000-0x000001B5E84B6000-memory.dmp

Filesize
152KB

Download
memory/2056-23-0x000001B5E8420000-0x000001B5E842E000-memory.dmp

Filesize
56KB

Download
memory/2056-18-0x000001B5C9A80000-0x000001B5C9D60000-memory.dmp

Filesize
2.9MB

Download
memory/2056-27-0x000001B5E84D0000-0x000001B5E84D8000-memory.dmp

Filesize
32KB

Download
memory/2056-28-0x000001B5E8BE0000-0x000001B5E8BF6000-memory.dmp

Filesize
88KB

Download
memory/2056-29-0x000001B5E84C0000-0x000001B5E84CA000-memory.dmp

Filesize
40KB

Download
memory/2056-30-0x000001B5E8430000-0x000001B5E843A000-memory.dmp

Filesize
40KB

Download
memory/2056-31-0x000001B5E8C10000-0x000001B5E8C18000-memory.dmp

Filesize
32KB

Download
memory/2056-24-0x000001B5E8AE0000-0x000001B5E8BE0000-memory.dmp

Filesize
1024KB

Download
memory/2056-25-0x000001B5E8440000-0x000001B5E844A000-memory.dmp

Filesize
40KB

Download
memory/2056-22-0x000001B5E8450000-0x000001B5E8488000-memory.dmp

Filesize
224KB

Download
memory/2056-21-0x000001B5E83D0000-0x000001B5E83D8000-memory.dmp

Filesize
32KB

Download
memory/2056-20-0x000001B5CBAB0000-0x000001B5CBAC0000-memory.dmp

Filesize
64KB

Download
memory/4172-19-0x00007FF970EF0000-0x00007FF9719B2000-memory.dmp

Filesize
10.8MB

Download
memory/4172-0-0x00007FF970EF3000-0x00007FF970EF5000-memory.dmp

Filesize
8KB

Download
memory/4172-5-0x00007FF970EF3000-0x00007FF970EF5000-memory.dmp

Filesize
8KB

Download
memory/4172-4-0x000001F675E00000-0x000001F675E22000-memory.dmp

Filesize
136KB

Download
memory/4172-2-0x00007FF970EF0000-0x00007FF9719B2000-memory.dmp

Filesize
10.8MB

Download
memory/4172-1-0x000001F65B830000-0x000001F65B8FE000-memory.dmp

Filesize
824KB

Download