Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe
Resource
win10v2004-en-20220113
General
-
Target
8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe
-
Size
552KB
-
MD5
b5afdac3b6cac4f00ac7c5fac52c121e
-
SHA1
5042c01d146a7db2dc522e8852ce06c9da820888
-
SHA256
8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949
-
SHA512
29d91b8ad41ba6b758952af5a42f25815296ee30aef89d50aa0790611451f62b5a1f59e5a41a9c0c6ea1c42b357aef48abc6f059a78644b65aeb5ba993828b05
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2d65fd87-dc96-43c9-b269-4dba4140b487.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220312110243.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4332 msedge.exe 4332 msedge.exe 2360 msedge.exe 2360 msedge.exe 544 msedge.exe 544 msedge.exe 680 identity_helper.exe 680 identity_helper.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 544 msedge.exe 544 msedge.exe 544 msedge.exe 544 msedge.exe 544 msedge.exe 544 msedge.exe 544 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1748 svchost.exe Token: SeTcbPrivilege 1748 svchost.exe Token: SeTcbPrivilege 1748 svchost.exe Token: SeTcbPrivilege 1748 svchost.exe Token: SeTcbPrivilege 1748 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 544 msedge.exe 544 msedge.exe 544 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exemsedge.exemsedge.exedescription pid process target process PID 1592 wrote to memory of 544 1592 8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe msedge.exe PID 1592 wrote to memory of 544 1592 8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe msedge.exe PID 544 wrote to memory of 1416 544 msedge.exe msedge.exe PID 544 wrote to memory of 1416 544 msedge.exe msedge.exe PID 1592 wrote to memory of 4624 1592 8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe msedge.exe PID 1592 wrote to memory of 4624 1592 8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe msedge.exe PID 4624 wrote to memory of 4708 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 4708 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 4624 wrote to memory of 5112 4624 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe PID 544 wrote to memory of 5044 544 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe"C:\Users\Admin\AppData\Local\Temp\8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9376c46f8,0x7ff9376c4708,0x7ff9376c47183⤵PID:1416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:23⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:83⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:13⤵PID:1400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:13⤵PID:1788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:13⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5440 /prefetch:83⤵PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:13⤵PID:1660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:13⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:13⤵PID:2404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:13⤵PID:1176
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:83⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:3380 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7fd655460,0x7ff7fd655470,0x7ff7fd6554804⤵PID:1364
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:680 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:83⤵PID:1068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:83⤵PID:3604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:83⤵PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1116 /prefetch:83⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4104 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,7564482510788110753,9365680199256502020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:83⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8bbd8cfbd8cdcb85db7eb16de379076560cfcf22f293b0664594fd260e6a9949.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb4,0x104,0x7ff9376c46f8,0x7ff9376c4708,0x7ff9376c47183⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,921193336732540198,8801526620680231019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,921193336732540198,8801526620680231019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD59ac8ec729b7fca06ced2a6c412255e15
SHA1b2f92b88f4e71c6d4f6a6eae5f4754fceb990339
SHA25664005a78de0479f435dc450cacfa261f354ffc5e7c805d9ad3754dc9408aec67
SHA5121e085731a0ad9df81f57f9779e2f260cf097e9998695e1b8af48794d3f23a5f07300e7d46e96611b77fafe8edcc3cabd0a4052da0c8dd2e10eb3c46c2df6b805
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD57cb5f587000387b6b2101c78f2783b4d
SHA1fa67ef999246a996c7357dcd4865079a0fab7499
SHA256b8b8b64103ef6ba668beb8703b04dfbacef70882d9e03be1de19fc73e5ba2b0a
SHA51215a00c24a83526ffe5f21889dfe567240adedccd063c3eb85863856c3eefe8f21d2f4006cc3a0d2e58d7c69e455231e4258385ebf2bd21fa9ca6ef0a907c6789
-
MD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
MD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
MD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
MD5
482bc71eb62863582a5348c0c9adf92b
SHA1fd46159e0c9233048a787acdca90e633d45ff0a9
SHA25684fe0e04c2250087537d3419eafc957ad8457c61ff50986e9b45c5b4476cae89
SHA5121203d0e1d11f89de7ffdff74160d6561a54918cda426b36cb197a1958e2fa75dccffb6830df9801deed411d6633a0234326bf3067e257a997db6a4401eb35b07
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e