8e1e6f953e622629b47b58b69c16ebcc34e5bf9a3705c95e1c70faca8f8041f9

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krnl.zip
Size

9.6MB
MD5

5490f7ea67121b425538f55ee546205e
SHA1

8bee391b0f0c63108a0905829cf3b4a2fbdd09a9
SHA256

8e1e6f953e622629b47b58b69c16ebcc34e5bf9a3705c95e1c70faca8f8041f9
SHA512

6c9fe892a513928cf364c0aafa7332bac0c55679e8f8b47c2612df498e41e7379c2945a2b82df2cb67e14bb4a362f854cd9d52f09ef3c250eb2b106d99cada7c
SSDEEP

196608:LGxksCq6EhU6I2Zas+uBFLVvuGNUNymk3J25Y98Mfo5yx7R3tZQL03gt:SWsC5ELay9uiL3YebwkR+

Score

10^/10

google discovery phishing

Malware Config

Signatures

Detected google phishing page 1 IoCs

phishing google

flow	pid	Process
89	1824	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
3792	krnl.exe
3428	krnl.exe
2192	krnl.exe
4272	krnl.exe

Loads dropped DLL 20 IoCs

pid	Process
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000c000000023c39-39.dat	embeds_openssl

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3792	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
3428	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
2192	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
4272	krnl.exe
1824	msedge.exe
1824	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2544	identity_helper.exe
2544	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3496	7zG.exe
Token: 35	3496	7zG.exe
Token: SeSecurityPrivilege	3496	7zG.exe
Token: SeSecurityPrivilege	3496	7zG.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3496	7zG.exe
4272	krnl.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3788	2912	msedge.exe	136
PID 2912 wrote to memory of 3788	2912	msedge.exe	136
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 4488	2912	msedge.exe	137
PID 2912 wrote to memory of 1824	2912	msedge.exe	138
PID 2912 wrote to memory of 1824	2912	msedge.exe	138
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139
PID 2912 wrote to memory of 2276	2912	msedge.exe	139

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\krnl.zip
1⤵
PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14193:66:7zEvent20582
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Users\Admin\Desktop\krnl.exe
"C:\Users\Admin\Desktop\krnl.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Users\Admin\Desktop\what\krnl.exe
"C:\Users\Admin\Desktop\what\krnl.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Users\Admin\Desktop\what\krnl.exe
"C:\Users\Admin\Desktop\what\krnl.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Users\Admin\Desktop\what\krnl.exe
"C:\Users\Admin\Desktop\what\krnl.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff6c4f46f8,0x7fff6c4f4708,0x7fff6c4f4718
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Detected google phishing page
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13788871673420425834,14915481556588974108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
26KB

MD5
1fdc7d5f60f441782b608e81738dbef2

SHA1
74f699940fb527aee9bf21e8d6172b769c549ff4

SHA256
a1538cf05238cc6c7b0ec08ccda41ca1326209b03f3942dfc49194d79942c738

SHA512
7e481bba26d4662c714b714a78e5a002f43803d50637983650b1827237dd7ca0d773fa1b8b016092424d1f7910e753993a8f04fa81d791f98425f0c5cd5c79da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
26KB

MD5
60bb41e47c7cf13ff0e6fb48aab75a45

SHA1
2820163f42db1d49645e2ce6a71014b43a1795d4

SHA256
106a20e94e0114d3ded1a222775913452011a94bd2012f4b223bc2938f17c5dc

SHA512
dc5621d766b566d6fa71e37e97e79ec6e1a78d407c9d8bd04b5fc99fc53df6a816706b459fc4516c3545cfca3f4e3fe74af56830c0c8178ef13dc1cbc31e41ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aeef61447bafe0f253494d42917fd751

SHA1
dc0e6f0afcb675b45b296eea4fbc594ba4219c89

SHA256
504043973717bc6b194fb80e4e1233a93151cdba59abe9cbf878df1e2250d86c

SHA512
c5488355af712b2807ab16ad1aa38ef1370081c4b6e1be8923ec40d26b01a93175c9c658fec81ec68247fcc9beae48da1a3d279015a6f940f8f5941f44760942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5ffa023d6dfe4735e65828e5090521f

SHA1
806910e42f7fd3a134a072464c73f8f62d00c8e2

SHA256
e0c3f2c82c37aa72b3cfae79348a0caa1b544c1f995506a682b7133d5bcc1d94

SHA512
ac3cecfbc078e674355b47a5eee9e090e2940c09e2d8c05216fb6c606db5f164b588c6c4db375917d051b4c9b486e17eb72a739725f6f4f4dfc6ef1f6a2aa9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
adcc48607a971c4e742bba8adce34573

SHA1
a28393b6abbfda39cbe0b24384813235d933d663

SHA256
bee8c2e5e2a47b9f19836b5efd586083d51eb411b94f8265777ec96aead2b03d

SHA512
6af0ce4407cfbb5d6e7be1c028e2e58f020e66dc0295bcd0c876e978e33775be17f06cb656c46f6016087085785b843f7e3107fcb603d808769a3045dd4e2cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f3a9cdf09cae5ce06d0f068b84f4924

SHA1
f76b22cabe52eac3ee03072055d071f277a9e0f4

SHA256
869ec77f925d7d10407eae22ca023924c7aa8b38db158c08aed537f56dc65162

SHA512
c2c7cfc8fb8a01f9217e0ba15c3180642cc16773a3019e1ecd6956b691d5037f3199c0fe0ee6194be0cdadd193cc3f68c17d899e6dd79a27ea8adec82c9e9b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
7f6c1a215966e37cc562f22db87e81c0

SHA1
18827acb7f829e7f20d90aac204ce36ef0c2df07

SHA256
837f3e7adf33921f41969e4e51e5740cd35b7423dee3e955a85d291be6e05eb5

SHA512
24baedc235fbc40908d4ace3cad45e96e9e391177f46d6cb3473a8d0583de59970a1d7a52f349410e77ca7b17c41321736d7126f623ba28cbc92f062bf1a6a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cd077.TMP

Filesize
538B

MD5
a5d20a272194890315bb627b4e31dc23

SHA1
06aab6658bc944b45b7d0c46f04d47c7805af358

SHA256
3bc3791ebd8e927393a5b9c47a74aab88d2b043de87f19520c9e71dc4f48d3b8

SHA512
f2d5a86bf8baf32ce0c8312f79e9820edf175283cc3897d3b1e6d7c05212cac29aab5f102799fd598ce0db4df6ef92e11da0477adfc33943df2bcc4ca6798471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73405cdf47ad05ff6d4c90e5c6cc13eb

SHA1
e4ab02eb664f0112d9bc5f251da32986fe4e23e3

SHA256
09709aaf51008922ca931e1be1707d0c9ed7099e2e77ad28d6c119016963980d

SHA512
5a586a1d32ce648690a5def316eb5330e8b5632896270b76cb46b573f13686299a0c0703f69fdf20c3785dd72970078e9e04d6050021d6a5be47425b768c4772

Download Submit
C:\Users\Admin\Desktop\CloudyApis.dll

Filesize
9KB

MD5
609af5514c520520a92773cec57b5938

SHA1
550e644ee696354763965facee800ca25f5d3d9d

SHA256
03673effc858f35658506cfea6c4906aab5c4d387af4d1a15222ff1e709356aa

SHA512
a657c5f7ce93acd8668c555945fb85cd44e15d714216f416c5d86440e7c5a505f18ba57b3785cb76f76f88fa4803ea54024a7583c3a1db1c0244adbc6f1eadf7

Download Submit
C:\Users\Admin\Desktop\bin\Cloudy.dll

Filesize
7.4MB

MD5
20a640d82130299fd0b72ce93d02f5f4

SHA1
223c99df8de6130214cafac7ffeea1e84de1ebdd

SHA256
293b972ee2154960c1d1aef1d03bf4092466f3855f4abc4826d63ee2df10a50f

SHA512
0d485ffd8c6fa4ce5cfecd402b7a5b2e6fdc0de10f1718298adb400098d89ade8f527e4b287590e7feca021a895644b5b6c9a205dfda32451f8949a8f5dfbca6

Download Submit
C:\Users\Admin\Desktop\bin\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
be0f6d1d60e149cedaca33a04963e05f

SHA1
b686e1ed9ae47b8ae803a5d9e912b0e631bc4217

SHA256
81a5fe6cd0ef5b083e5c4bdb6a40a30bfb1b0de15a9dfad459de2d6a36d94f86

SHA512
7b39dd8c70286ec4fe61cb2c3c12062f2dcbdda607c2f14c4f983741026f6aa62b60f9e983204949395cc54b5ebf6426c0f8300e0e385c35c1f2f3847160d7ff

Download Submit
C:\Users\Admin\Desktop\bin\libssl-3-x64.dll

Filesize
802KB

MD5
733e3b58ee1760a442fec4712848c3ad

SHA1
529206caad19cce2424323bc29a9fb9a4bbd3e76

SHA256
159198cb8e740f9ad5918b51503121fd1b7e70460f6a4f6a6aa27576bbfa31c7

SHA512
10835ff09e35d8acb2739707219905b3ae2870af973d8f80040baeb732eb798fa93ef1bc599ad9898aff8e20ee21aa1f5e5e07340eda205aa938fc001cd83a88

Download Submit
C:\Users\Admin\Desktop\bin\xxhash.dll

Filesize
46KB

MD5
70c514826d9428f184d27f0c8f397404

SHA1
e6b0b1a396de9913004d9bcaa230972686416bb6

SHA256
aff59e91d222b75b3e3ac789baba9e24eff99796261ae5e887ef9e3c28bb3d64

SHA512
168c63cbb54865ca42a884fd974291bcadd9dd8cf8bc1980148214e84498af42a590cb3d3a394765ee0b7d2e337fab6e85ff4f85d9ced97b92b540152202a0a6

Download Submit
C:\Users\Admin\Desktop\bin\zstd.dll

Filesize
638KB

MD5
5b96fb0d4e6453680da278f5b7e51a29

SHA1
3c96a29248fa3644de2c653a5d97c1e21b13a769

SHA256
1374391dafd6262795243a58f9fb234be859d940683fe756c64692ca807f0478

SHA512
27d06b7182aa48a81cce18f8f7b1bee054f3a862ccebd77d273a67c6a15e5d0ef5ba8fd7430976f445eb8bff51d290f2bb50061ac7ef448255ba8a18b8baf193

Download Submit
C:\Users\Admin\Desktop\krnl.deps.json

Filesize
791B

MD5
f2817e067ce945117e667c55ab21eda9

SHA1
0390b9d9ebc8c3787c92ec940b8ce4390fc14edf

SHA256
5fbeb7a8622a9cf7f97c28ab9882457e748ed976f9c55d4c688ad1535c15e7c5

SHA512
b033871823726306c7160a31f9aa21a4f87a107e2c3cc4402963abd7f1d3070a6b17f1d8bb32b1a43b7c607eda9e17410833e923294096a4026bc9296123ec29

Download Submit
C:\Users\Admin\Desktop\krnl.dll

Filesize
136KB

MD5
a60e4ac4cae338731e6f3e87b8a1a5e6

SHA1
0e53dc9f01426ef706934644da2cd9fa46b5f5b2

SHA256
ea944af2b5c63f46c188e2851e43aea77253b0fb3703ec1340b4e60bda397488

SHA512
360d8c719537ad8dfe156ebe56aa6e450c91465affebb3e82779fb07d1d992f3bbf063d4b3d10acfa5346ad226ab0b3319dc6ba8db59d0e2505b2c814ead760b

Download Submit
C:\Users\Admin\Desktop\krnl.exe

Filesize
142KB

MD5
cdeca54ab1bac472cd124dbf8d306b8d

SHA1
6d2c8feef9e665c3e1775f39ae06634cc82b398f

SHA256
67c32209e928c6061fb102593b3cd20e56ab56d5cba4eadd5abce2cfd6f6388b

SHA512
ba0994299257e5b2fee3df70469a842e06acbe7c1b385bc5cd2c9cf6d74bc37bb72bd68e4aeea14a9e23ae6aa00f729a1f83706fd5699d4f7dc2b3060c4d09a5

Download Submit
C:\Users\Admin\Desktop\krnl.runtimeconfig.json

Filesize
443B

MD5
9db099f143ead47e224653d0dde19fe9

SHA1
d050db767fc64aa1705353132da3e35048475d3c

SHA256
7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194

SHA512
579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f

Download Submit
memory/2192-89-0x00007FFF53B30000-0x00007FFF54830000-memory.dmp

Filesize
13.0MB

Download
memory/3428-72-0x00007FFF53B30000-0x00007FFF54830000-memory.dmp

Filesize
13.0MB

Download
memory/3428-69-0x00007FFF78F20000-0x00007FFF78F22000-memory.dmp

Filesize
8KB

Download
memory/3428-63-0x00007FFF7B3B0000-0x00007FFF7B3B2000-memory.dmp

Filesize
8KB

Download
memory/3428-64-0x00007FFF7B3C0000-0x00007FFF7B3C2000-memory.dmp

Filesize
8KB

Download
memory/3428-65-0x00007FFF7B3D0000-0x00007FFF7B3D2000-memory.dmp

Filesize
8KB

Download
memory/3428-66-0x00007FFF7AD20000-0x00007FFF7AD22000-memory.dmp

Filesize
8KB

Download
memory/3428-67-0x00007FFF7AD30000-0x00007FFF7AD32000-memory.dmp

Filesize
8KB

Download
memory/3428-68-0x00007FFF78F10000-0x00007FFF78F12000-memory.dmp

Filesize
8KB

Download
memory/3792-55-0x00007FFF58490000-0x00007FFF59190000-memory.dmp

Filesize
13.0MB

Download
memory/3792-52-0x00007FFF78F20000-0x00007FFF78F22000-memory.dmp

Filesize
8KB

Download
memory/3792-46-0x00007FFF7B3B0000-0x00007FFF7B3B2000-memory.dmp

Filesize
8KB

Download
memory/3792-47-0x00007FFF7B3C0000-0x00007FFF7B3C2000-memory.dmp

Filesize
8KB

Download
memory/3792-48-0x00007FFF7B3D0000-0x00007FFF7B3D2000-memory.dmp

Filesize
8KB

Download
memory/3792-49-0x00007FFF7AD20000-0x00007FFF7AD22000-memory.dmp

Filesize
8KB

Download
memory/3792-50-0x00007FFF7AD30000-0x00007FFF7AD32000-memory.dmp

Filesize
8KB

Download
memory/3792-51-0x00007FFF78F10000-0x00007FFF78F12000-memory.dmp

Filesize
8KB

Download
memory/4272-102-0x00007FFF78F10000-0x00007FFF78F12000-memory.dmp

Filesize
8KB

Download
memory/4272-99-0x00007FFF7B3D0000-0x00007FFF7B3D2000-memory.dmp

Filesize
8KB

Download
memory/4272-100-0x00007FFF7AD20000-0x00007FFF7AD22000-memory.dmp

Filesize
8KB

Download
memory/4272-101-0x00007FFF7AD30000-0x00007FFF7AD32000-memory.dmp

Filesize
8KB

Download
memory/4272-103-0x00007FFF78F20000-0x00007FFF78F22000-memory.dmp

Filesize
8KB

Download
memory/4272-97-0x00007FFF7B3B0000-0x00007FFF7B3B2000-memory.dmp

Filesize
8KB

Download
memory/4272-106-0x00007FFF585E0000-0x00007FFF592E0000-memory.dmp

Filesize
13.0MB

Download
memory/4272-98-0x00007FFF7B3C0000-0x00007FFF7B3C2000-memory.dmp

Filesize
8KB

Download