9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe
Size

25KB
MD5

716d84148eb4ae9301f0984c083652e2
SHA1

206eb4837ca081f4b4acac0b4bb5a82da76c7b34
SHA256

9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094
SHA512

1070ce34a45ba93bf1548c68b2675791eb1f825d410cb642f9ef5309845d4183eefcb8a3130ded064f71038ce81864eba591b45dff53208a890dbc95548601e5
SSDEEP

384:kTok+6WFPRQBg1IAcisKk/z/kS97xXhOXs2HlnTvBAperWYCW8p8Ay4J+Ti6CVqB:fFeBgZcisKkr/ko7XWs2FnT148Brl

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9c431389-be90-45ee-ac2b-f5ec9f3f7e86.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221002064919.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3272	msedge.exe
3272	msedge.exe
1952	msedge.exe
1952	msedge.exe
5084	msedge.exe
5084	msedge.exe
1656	identity_helper.exe
1656	identity_helper.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
5084 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

5084 msedge.exe
5084 msedge.exe

pid	process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

pid	process
5084	msedge.exe
5084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4808 wrote to memory of 5084	4808	9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe	msedge.exe
PID 4808 wrote to memory of 5084	4808	9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe	msedge.exe
PID 5084 wrote to memory of 5004	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 5004	5084	msedge.exe	msedge.exe
PID 4808 wrote to memory of 2932	4808	9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe	msedge.exe
PID 4808 wrote to memory of 2932	4808	9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe	msedge.exe
PID 2932 wrote to memory of 636	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 636	2932	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 5084 wrote to memory of 392	5084	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe
PID 2932 wrote to memory of 4956	2932	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe
"C:\Users\Admin\AppData\Local\Temp\9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa333a46f8,0x7ffa333a4708,0x7ffa333a4718
3⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
3⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
3⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
3⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
3⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 /prefetch:8
3⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
3⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
3⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5968 /prefetch:8
3⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
3⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
3⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
3⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1f8,0x22c,0x7ff6030b5460,0x7ff6030b5470,0x7ff6030b5480
4⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
3⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
3⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
3⤵
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
3⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
3⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
3⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13165910498359593209,2566596279575796923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1280 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9a2d4e849b2cff6f08bcc03932667f5ad183095a57322a360510a00f5487f094.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa333a46f8,0x7ffa333a4708,0x7ffa333a4718
3⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5583486014007410834,3184128934035527411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,5583486014007410834,3184128934035527411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
c23b69393fce27542d40c40b433e02e0

SHA1
eb8ce98c5d20d7a19ad3e126afb2b007ff6bab82

SHA256
dc702082209ae37c6ca7549fcba9b139ceddf1c56acf3490d532c4ddd51e32fa

SHA512
4e9ce85e7bc8b58dd99af2627da88b507c43bea218f59ef01640a467a5641129600352e83fb281cdde1e79696a9228605a0dd1a441d5ea5b0a03982264d0e60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
ae980ff5ff2173bf33b892ffee887a60

SHA1
bc6a475bd607915ad4377ae65d7f268aae20b024

SHA256
2f2b0fdb6d6aaf173a73698223aeddcca1206f51016a44e3d411cdfc1bb3113d

SHA512
e83bd705cfb73a723dbbbebf1c9cc78c895b2abd4e561f60edfbdfd79727537261f39b7be320b8b2613f46172ea67a716a1cd9468906473784ea1a0e8802963d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0e9c501060e4a557ba8b47a8ed717e04

SHA1
371b979e2f059c5d4e81ccd0ff54587069f5b674

SHA256
b19f7e8a83e33b27b75a541d7076a90768e5ec58ff9c7a0033768bf197760c77

SHA512
c43b40b9b6647d3bc96c2c1a1a26d1ff417343f137aa15845cfe152da29f35ef36b5dcd3a755895ed25335f4a03d477fe6ce03b476c3391e83cc702a61d63935

Download Submit
\??\pipe\LOCAL\crashpad_2932_CLCZDLGMKXUFJNFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5084_JBIWMJETCSYRMGLJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-144-0x0000000000000000-mapping.dmp

Download
memory/636-135-0x0000000000000000-mapping.dmp

Download
memory/664-159-0x0000000000000000-mapping.dmp

Download
memory/1144-189-0x0000000000000000-mapping.dmp

Download
memory/1428-167-0x0000000000000000-mapping.dmp

Download
memory/1480-190-0x0000000000000000-mapping.dmp

Download
memory/1656-177-0x0000000000000000-mapping.dmp

Download
memory/1952-149-0x0000000000000000-mapping.dmp

Download
memory/2124-157-0x0000000000000000-mapping.dmp

Download
memory/2368-179-0x0000000000000000-mapping.dmp

Download
memory/2372-187-0x0000000000000000-mapping.dmp

Download
memory/2672-183-0x0000000000000000-mapping.dmp

Download
memory/2928-161-0x0000000000000000-mapping.dmp

Download
memory/2932-134-0x0000000000000000-mapping.dmp

Download
memory/3084-170-0x0000000000000000-mapping.dmp

Download
memory/3208-174-0x0000000000000000-mapping.dmp

Download
memory/3272-147-0x0000000000000000-mapping.dmp

Download
memory/4428-152-0x0000000000000000-mapping.dmp

Download
memory/4448-172-0x0000000000000000-mapping.dmp

Download
memory/4484-181-0x0000000000000000-mapping.dmp

Download
memory/4536-163-0x0000000000000000-mapping.dmp

Download
memory/4540-176-0x0000000000000000-mapping.dmp

Download
memory/4572-185-0x0000000000000000-mapping.dmp

Download
memory/4756-165-0x0000000000000000-mapping.dmp

Download
memory/4956-142-0x0000000000000000-mapping.dmp

Download
memory/5004-133-0x0000000000000000-mapping.dmp

Download
memory/5084-132-0x0000000000000000-mapping.dmp

Download
memory/5100-175-0x0000000000000000-mapping.dmp

Download