Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe
Resource
win10v2004-20220812-en
General
-
Target
8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe
-
Size
30KB
-
MD5
66d18e4b185ae7f81a5008f5c6344110
-
SHA1
1d4da5701608c1c923605d236d1fd21bce3606f9
-
SHA256
8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e
-
SHA512
eaa997544711146f5ca151f1f53325a472e7eda297ea1ea19a286db888021f2d2aa84fb6eb25d82a58ba0791e6f7baaf3854634da11188546227f17f20387086
-
SSDEEP
384:RoHUrot3b5tbqMHLueg6ihJSxUCR1rgCPKabK2t0X5P7DZ+LMX4xWBZWH5UXyu1B:RMmot32MHTFRJ+XJzXy0SOoIT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\77611b86-6964-4bd1-a289-0fb14cbc2e5c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221003182559.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2332 msedge.exe 2332 msedge.exe 2268 msedge.exe 2268 msedge.exe 5016 msedge.exe 5016 msedge.exe 3656 identity_helper.exe 3656 identity_helper.exe 728 msedge.exe 728 msedge.exe 728 msedge.exe 728 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe 5016 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 5016 msedge.exe 5016 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exemsedge.exemsedge.exedescription pid process target process PID 2784 wrote to memory of 2012 2784 8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe msedge.exe PID 2784 wrote to memory of 2012 2784 8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe msedge.exe PID 2012 wrote to memory of 1868 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 1868 2012 msedge.exe msedge.exe PID 2784 wrote to memory of 5016 2784 8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe msedge.exe PID 2784 wrote to memory of 5016 2784 8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe msedge.exe PID 5016 wrote to memory of 3508 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 3508 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 5016 wrote to memory of 1808 5016 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe PID 2012 wrote to memory of 2160 2012 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe"C:\Users\Admin\AppData\Local\Temp\8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffedaad46f8,0x7ffedaad4708,0x7ffedaad47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6575904376364442815,15150388371047163764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6575904376364442815,15150388371047163764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8ea71f1f17919dda0d2de65ceeecbdf3f27a9791a488e3edcca8863335d3b50e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffedaad46f8,0x7ffedaad4708,0x7ffedaad47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5492 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x1c8,0x7ff7e96e5460,0x7ff7e96e5470,0x7ff7e96e54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11702745300400062903,6472051886931299615,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
471B
MD5b2eb40bbc2497cd170740d37eb1abbf5
SHA123875cde952221031044e734882274ee826f282d
SHA2566dfc5aaed644f6c56fd6522a9c029e6760f32e3acdb3a4efc971919c0f5cc809
SHA5127042aab52cfe09f04e8117b9adb8db1e6e5a38dce125cabf3d12c6337d6692f426feccf0712e9326a776087594d1a50361f709f9b86b419262b2c7193566f7f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
412B
MD538de1527fab50f6b9b7738e561bfb6cb
SHA1f9d6718a7d6c7ae0874709364d0465e82ea5e033
SHA2565a00b8cea60a6e632b98c60d095c610cb64a7571aa0b5151d91003d233ac8604
SHA512dafb27456e572b65c772510efc3683615f20f683487587f24c3d0bfd7bf10e7f2a28d4accc5bea8e77678856126f99678fb87a6e0c373ebf54b65bfa2175d9ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1661723f09a6aed8290c3f836ef2c2b
SHA155e08c810da94c08c5ee54ace181d4347f4e2ae5
SHA256a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2
SHA512dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52a975227a425e12de16db51149f9170a
SHA132d03052392671e9ae1decbb0748f7b0ce55621e
SHA25617da1afd22b262e1e0017135ca99fa9070e7d82a32bc081d8b07030abe402797
SHA51200a00c9577fea4d9ab4dd8feae08e096a588a0aadb03899b15288fe3cf4ceec18d6e17af10bd703a1938e51a48e9d3ecc9989a584d7cb7b08fccfa413191376b
-
\??\pipe\LOCAL\crashpad_2012_LPZQRNJFHLTMXTJYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5016_JMYREDYVRGUAWOVZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/424-169-0x0000000000000000-mapping.dmp
-
memory/728-183-0x0000000000000000-mapping.dmp
-
memory/920-160-0x0000000000000000-mapping.dmp
-
memory/1112-174-0x0000000000000000-mapping.dmp
-
memory/1616-180-0x0000000000000000-mapping.dmp
-
memory/1808-143-0x0000000000000000-mapping.dmp
-
memory/1864-166-0x0000000000000000-mapping.dmp
-
memory/1868-134-0x0000000000000000-mapping.dmp
-
memory/2012-133-0x0000000000000000-mapping.dmp
-
memory/2160-146-0x0000000000000000-mapping.dmp
-
memory/2268-147-0x0000000000000000-mapping.dmp
-
memory/2332-145-0x0000000000000000-mapping.dmp
-
memory/2724-178-0x0000000000000000-mapping.dmp
-
memory/2784-138-0x0000000000A80000-0x0000000000A898E7-memory.dmpFilesize
38KB
-
memory/2784-132-0x0000000000A80000-0x0000000000A898E7-memory.dmpFilesize
38KB
-
memory/2860-164-0x0000000000000000-mapping.dmp
-
memory/2872-175-0x0000000000000000-mapping.dmp
-
memory/3068-150-0x0000000000000000-mapping.dmp
-
memory/3508-136-0x0000000000000000-mapping.dmp
-
memory/3608-171-0x0000000000000000-mapping.dmp
-
memory/3656-162-0x0000000000000000-mapping.dmp
-
memory/3656-176-0x0000000000000000-mapping.dmp
-
memory/4044-182-0x0000000000000000-mapping.dmp
-
memory/4204-156-0x0000000000000000-mapping.dmp
-
memory/4532-158-0x0000000000000000-mapping.dmp
-
memory/5016-135-0x0000000000000000-mapping.dmp
-
memory/5040-173-0x0000000000000000-mapping.dmp