b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe
Size

1.1MB
MD5

954f28685a32bc64adea48d5cca24fb6
SHA1

507e7420ca2e1196d6c28372ec816329967f4837
SHA256

b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c
SHA512

34dd83b2ef07d99f8e3f83cb5edc5d66fdf4efe3a1be19a21422c8b6ac3c139d1d6f3a1b82046a645aacd05ca8037a665104ff5bd841ece0f33dcee0de84d61b

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\500ee8cc-7ba3-4422-a029-a7ae6c79a920.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220804094730.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3668	msedge.exe
3668	msedge.exe
3680	msedge.exe
3680	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
4692	identity_helper.exe
4692	identity_helper.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1972 msedge.exe
1972 msedge.exe
1972 msedge.exe
1972 msedge.exe
1972 msedge.exe
1972 msedge.exe
1972 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1972 msedge.exe
1972 msedge.exe

pid	process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

pid	process
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4708 wrote to memory of 3732	4708	b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe	msedge.exe
PID 4708 wrote to memory of 3732	4708	b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe	msedge.exe
PID 3732 wrote to memory of 2388	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 2388	3732	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1972	4708	b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe	msedge.exe
PID 4708 wrote to memory of 1972	4708	b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe	msedge.exe
PID 1972 wrote to memory of 4868	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 4868	1972	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 3732 wrote to memory of 4356	3732	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2256	1972	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe
"C:\Users\Admin\AppData\Local\Temp\b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe96ac46f8,0x7ffe96ac4708,0x7ffe96ac4718
3⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14680150900648288227,9415059668236470150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14680150900648288227,9415059668236470150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3016 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b5d0f2b421c83dbfd223633e7aa692e4c6d7bdb3659b65e7f3207cd61a3d478c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe96ac46f8,0x7ffe96ac4708,0x7ffe96ac4718
3⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
3⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
3⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
3⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
3⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
3⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 /prefetch:8
3⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
3⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
3⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5848 /prefetch:8
3⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
3⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
3⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
3⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b83f5460,0x7ff6b83f5470,0x7ff6b83f5480
4⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1852 /prefetch:8
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
3⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
3⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5635504416992502272,2727979767312502987,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2908 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
8024c37f81a0b9a5f37121550621be4b

SHA1
4cde8f1b3a01096bd1f8476dc595f3210590f522

SHA256
a4e49bf7354746282149370fb3fb1159ccc91ac20946ac569157a6c4a4ffd828

SHA512
7f1d8e180c79e2e6633dba4fa6ca759b7fcb4f9a0491fc23abf6425152c2492b738b8dc1c6ce68a736af1c174817a00f85a80bc2b39d7922c57b69fb1bb379f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
4d680f5e45355c4bf1175ebcae2872bd

SHA1
31c58c614f98b6ff4aeee9bb45c939d355616a5c

SHA256
09931cd6fdd1ff437f70ec089fd2fdd5d096d20bf4196655fcf47c1875406a8a

SHA512
960cb03aad9f673d9575576823ac95f5798bf0b424efc1add9dcee2731a85174199cf3d744c617fbb79167c659bc32be6cee8f4686778c4b9b2268acde6bc53e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
4d680f5e45355c4bf1175ebcae2872bd

SHA1
31c58c614f98b6ff4aeee9bb45c939d355616a5c

SHA256
09931cd6fdd1ff437f70ec089fd2fdd5d096d20bf4196655fcf47c1875406a8a

SHA512
960cb03aad9f673d9575576823ac95f5798bf0b424efc1add9dcee2731a85174199cf3d744c617fbb79167c659bc32be6cee8f4686778c4b9b2268acde6bc53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e45a3d6c31013da55ed308015a7b40c

SHA1
bfc912c204506a5ad8cf07c374577316341990c6

SHA256
f9a349c81c351f483f1db40cccb7a4a99950fc30769ab9be716739f1beaf413c

SHA512
5c9aedc1be72562445db07fc367afcf3dd003ee2f874dea33ff36d801e86c18559cc44f538ebaa7397fe387a494737a147b260b08a6bca6bfacaf332485a4cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
44a0e0dec73bba7d7c456b24a4c3884e

SHA1
bcaf39464270fb6b4d88e456b7c146ef44885a00

SHA256
41a197f731931bf11cdf1d6c8dc9fc1ef9f8095700499044563d838269cafd52

SHA512
11640e42884a131d18ea86c005a3d10c553978bcaf3ec4d727e22c686141b6afa5d92e5e7ae0a88e1cf5ae2503eb731471e4847f87339d6aecd58c58b10b338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c9bacf08b9050e984082d30a41d84412

SHA1
85c6ee5d639243d94ddd5a4727fd247699149715

SHA256
faec3200071fc2db86da63539fb81047d32aff3d55bb1d6b194201083ba1494c

SHA512
e53eced15cfd6c211ea4b20b044b1da4fe2d0a02c7144a00fafece9318f3ef3eaf5817bc695f5a42a8475f21753a7392642ce68bd21e154544a1ab898e338b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
24367b2a8486f2aa744dfaebc9962598

SHA1
09c273e584f4bdaf3c867fc709e122f6bd692108

SHA256
c5891e4f0866dd2afef9749a8671de1777d1558aaad791439a7d635aa8376d6f

SHA512
bf1135d2a9e25880fcee0e03db05836d3671ff12e85814a3628351fbd821f4335f0eef5cbd26b59f8237ff333144d9efc005f3be6ea4d6e49d6172cafe158fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637951935932389049
Filesize
4KB

MD5
934b601dc9ad6e08937c7beb79742dc4

SHA1
1e3bb075a845efd37a19b274716df9e4cffbb5fc

SHA256
a0de62931747f5d1dd0c5b75e1fe4bf6d8174c395f0f9f7a2ea1447051270001

SHA512
711da83dff1efca4fe28cf0caeaae44766e34708c63c3832cbc10cf25ed7d0d98c4837d55baa0299d11643a4918de66005bc544d175fc210479e88477da4e59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
\??\pipe\LOCAL\crashpad_1972_ETALUSOVOYGHJCNT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3732_DZUKDNXCPRWLXZSH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/812-182-0x0000000000000000-mapping.dmp

Download
memory/1200-163-0x0000000000000000-mapping.dmp

Download
memory/1476-169-0x0000000000000000-mapping.dmp

Download
memory/1928-176-0x0000000000000000-mapping.dmp

Download
memory/1968-190-0x0000000000000000-mapping.dmp

Download
memory/1972-134-0x0000000000000000-mapping.dmp

Download
memory/2064-165-0x0000000000000000-mapping.dmp

Download
memory/2256-146-0x0000000000000000-mapping.dmp

Download
memory/2388-133-0x0000000000000000-mapping.dmp

Download
memory/2492-167-0x0000000000000000-mapping.dmp

Download
memory/3172-180-0x0000000000000000-mapping.dmp

Download
memory/3344-173-0x0000000000000000-mapping.dmp

Download
memory/3644-181-0x0000000000000000-mapping.dmp

Download
memory/3668-151-0x0000000000000000-mapping.dmp

Download
memory/3680-150-0x0000000000000000-mapping.dmp

Download
memory/3700-171-0x0000000000000000-mapping.dmp

Download
memory/3732-132-0x0000000000000000-mapping.dmp

Download
memory/4316-161-0x0000000000000000-mapping.dmp

Download
memory/4356-144-0x0000000000000000-mapping.dmp

Download
memory/4484-187-0x0000000000000000-mapping.dmp

Download
memory/4544-185-0x0000000000000000-mapping.dmp

Download
memory/4692-183-0x0000000000000000-mapping.dmp

Download
memory/4760-178-0x0000000000000000-mapping.dmp

Download
memory/4868-135-0x0000000000000000-mapping.dmp

Download
memory/5044-189-0x0000000000000000-mapping.dmp

Download