0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe

General

Target

0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe
Size

584KB
MD5

d519245c5be1e9f491eb1e1ebfc88bef
SHA1

7511d6366977ffda8b2d033667d12a563d26054b
SHA256

0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe
SHA512

7d33a3f58d2d3f7c87fb7b3a1661550059cefa4c6a81c88f523e6f6241cb33cd2eae1d8758ad7a20776ec2fec0f64c3d0b29731c93c0e85e64b6a80de4d0c518

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b2e7d921-858f-4027-afa6-3d2322732fc1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129010301.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1488	msedge.exe
1488	msedge.exe
5080	msedge.exe
5080	msedge.exe
4476	msedge.exe
4476	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4476 msedge.exe
4476 msedge.exe
4476 msedge.exe
4476 msedge.exe
4476 msedge.exe
4476 msedge.exe
4476 msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeTcbPrivilege	4724	svchost.exe
Token: SeTcbPrivilege	4724	svchost.exe
Token: SeTcbPrivilege	4724	svchost.exe
Token: SeTcbPrivilege	4724	svchost.exe
Token: SeTcbPrivilege	4724	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4476 msedge.exe
4476 msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4748 wrote to memory of 4476	4748	0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe	msedge.exe
PID 4748 wrote to memory of 4476	4748	0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe	msedge.exe
PID 4476 wrote to memory of 3064	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 3064	4476	msedge.exe	msedge.exe
PID 4748 wrote to memory of 3208	4748	0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe	msedge.exe
PID 4748 wrote to memory of 3208	4748	0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe	msedge.exe
PID 3208 wrote to memory of 4372	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4372	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1028	4476	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 432	3208	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe
"C:\Users\Admin\AppData\Local\Temp\0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9557046f8,0x7ff955704708,0x7ff955704718
3⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:8
3⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
3⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
3⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
3⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
3⤵
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
3⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
3⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
3⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:8
3⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff627bb5460,0x7ff627bb5470,0x7ff627bb5480
4⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:8
3⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
3⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:8
3⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3193452725037585648,7080609320921750599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7196 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0a595c1094f7328f915cc7d41b675bd8ae61dd4480406f63f7c6142b4fc993fe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9557046f8,0x7ff955704708,0x7ff955704718
3⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6907770380460226043,2125626931611782090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6907770380460226043,2125626931611782090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5
9c87a01920853c68babb35cca8b4c83f

SHA1
705c6f833b6033f9ecff6011f49bf4a119185455

SHA256
adee1283ee7b0e2cff305d8ba551a7e0ea3838d93d2e7a980061199300ceef7e

SHA512
882501747528e36cb0298fd711d7dc9804367830e72b720e142b070baaa44b841fc3e9e8987574986a2075cd3b6988337a8aa75c795cb404eac56d3c0f57a8bc

Download Submit
\??\pipe\LOCAL\crashpad_3208_SYDTKZTJQITQKDUE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4476_ZMRXKPJOECIQOXNF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/432-137-0x00007FF974030000-0x00007FF974031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads