ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe
Size

70KB
MD5

39187dfb5e9e3f1156f5f4ac0d5b954e
SHA1

1840963b8175b83ef10808ee4f405552e5e61228
SHA256

ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698
SHA512

0dc2f8d15bcfa45fd0399d61e4a599e3e08465b8c96889065defa4f82c7cc17df26cc6afbf9e398e186079ae39667164eee6656cf19bda377c1610a8c899a32d
SSDEEP

1536:gSWCNDP8QiAWHAe130Nb/UE3p6cER3p2K:lP8BHA230RJDy3p2

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f37d9655-dbec-493e-9134-ae749e394104.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221004003316.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

2912 msedge.exe
2912 msedge.exe
2664 msedge.exe
2664 msedge.exe
1936 msedge.exe
1936 msedge.exe
3296 identity_helper.exe
3296 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
1936 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1936 msedge.exe
1936 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
2912	msedge.exe
2912	msedge.exe
2664	msedge.exe
2664	msedge.exe
1936	msedge.exe
1936	msedge.exe
3296	identity_helper.exe
3296	identity_helper.exe

pid	process
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe

pid	process
1936	msedge.exe
1936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4280 wrote to memory of 1936	4280	ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe	msedge.exe
PID 4280 wrote to memory of 1936	4280	ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe	msedge.exe
PID 1936 wrote to memory of 1208	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1208	1936	msedge.exe	msedge.exe
PID 4280 wrote to memory of 4264	4280	ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe	msedge.exe
PID 4280 wrote to memory of 4264	4280	ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe	msedge.exe
PID 4264 wrote to memory of 4340	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 4340	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 1936 wrote to memory of 1172	1936	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 3936	4264	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe
"C:\Users\Admin\AppData\Local\Temp\ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ef446f8,0x7ff85ef44708,0x7ff85ef44718
3⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
3⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
3⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
3⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 /prefetch:8
3⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
3⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
3⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6124 /prefetch:8
3⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
3⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
3⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
3⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff696f45460,0x7ff696f45470,0x7ff696f45480
4⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
3⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:8
3⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,11375785294646076087,10367733013681203527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ef1efc13a21d821e5fa6bd99a7efc33f34251d8227fdf0f4161c312b338d7698.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ef446f8,0x7ff85ef44708,0x7ff85ef44718
3⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2604,3151356786361270262,5077214963531728076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,3151356786361270262,5077214963531728076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
b2eb40bbc2497cd170740d37eb1abbf5

SHA1
23875cde952221031044e734882274ee826f282d

SHA256
6dfc5aaed644f6c56fd6522a9c029e6760f32e3acdb3a4efc971919c0f5cc809

SHA512
7042aab52cfe09f04e8117b9adb8db1e6e5a38dce125cabf3d12c6337d6692f426feccf0712e9326a776087594d1a50361f709f9b86b419262b2c7193566f7f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
dcb650a933b718c9e345f34b03dcf176

SHA1
5d685186371b16d6c48a076fabcf9b43ad821b3e

SHA256
81f0783a49afce7c284a0b9099f45a646694fdd67ce33a5e275aa461262a1d44

SHA512
e4a8e165fa3166b52e941559ed50c49e13f7a28e181338cea892b448f31eb5ded74e35584386b853d17a1817294a64888da69acb8170d35c46288f2ec8323ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
b28e162ecd4e9d4029bca5f9660fa778

SHA1
86603b354c73271d5af2daf66c573a0d7ecf8312

SHA256
2ef411cedc5da89cd8da49cd7d41d0c9628a18de91157f286d3427c1a247f7a2

SHA512
716aec676ba7498b4befbac3b97d806d3925e20b7c1e588d79342adaea4120df42bc5ea2f0e209b06f8953152c438bc91c317aab4db7bf86a3f8af7768322b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
9d7ba55983459d6453203e2a53b3ec64

SHA1
2dec704ab41871987568712dcf4a9b0764f3735b

SHA256
4146fd32cd55c4ea9c6ed6560b2d15af73ea0daa689e3fcb8a19ec715a117181

SHA512
afb067d5d2398ce0e8f1608039afde7ba3c07dec40440aafb27204c79d24ae8aa229db1507a0a10ab349670903f36ee294ecfe18e6baf30941ee2b058c9fabf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e086dbf53664e4d29bf1e1301cd6a5d2

SHA1
81713e6063a12dc9c2ed4b9a2ff41308aedc6550

SHA256
2e859dea8b506779e0dc203156ff5afdad3f86f7c6b3560c9a7fa7dd2f453ee6

SHA512
ca62b20877d2dd51d444d0a2006d4abd1bcb1cbacffa36e9b85fd7cc55907df00b4b3e3f58719589310007e481059d0eefc4f01d2ff507bbb8b477dbaaf25c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
4c7f0247320c17782fcf732cb3e7b6c3

SHA1
bda552ff5ec21fa8207e31c6caf5bdcf5c091bcc

SHA256
966581ac28d2be908c33d2414a80e560af84576b8c7e8bf60700d65384239456

SHA512
26d99c16d855f7ae8094427ef8b81790411c76fc41e9ff761d535ded34df30d86754a0846ea69c2dff2452c7a794d1d76db1d4b82725dea1e86e433016eb9ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638004316760565997
Filesize
2KB

MD5
047079a930e9d436c3b42c27807ecf14

SHA1
a47e88b75d8c7fd8da776f1886203fb28e56debd

SHA256
ff455abc04a7a5dd6b0c54fe4d3b9cf3c63480fcfce49388a2b9e096ed462b4a

SHA512
c91aac176df8a2148a047e73be15a1f02748715d4531274f4bdf9866012c0f9905d20fc9b9a6b3020f856f5995cfebcb798f3638a6e84f1d349015ccff8f821f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize
24KB

MD5
fd44a28e3931444006e7e9306d2f0bc0

SHA1
2930a859234f9c3e6d7bd024543e082ef42c13d1

SHA256
5dd2dc725a4216a1ad7fc22cf89f145adf3adde099b8b21c60c34c5c53cec14f

SHA512
76de7705e9295690c403a76002fa26bab013a0f8721265a3800ff21f7ba227d33781ad17caa79eddcfd5431f45e54abc9d355fd6a7ec134043d15c831c4e4a2d

Download Submit
\??\pipe\LOCAL\crashpad_1936_QKEANQYLGRYTJFTZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4264_PVFGIKCQPJROHWII
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-165-0x0000000000000000-mapping.dmp

Download
memory/544-190-0x0000000000000000-mapping.dmp

Download
memory/868-188-0x0000000000000000-mapping.dmp

Download
memory/940-179-0x0000000000000000-mapping.dmp

Download
memory/1004-167-0x0000000000000000-mapping.dmp

Download
memory/1172-154-0x0000000000000000-mapping.dmp

Download
memory/1208-133-0x0000000000000000-mapping.dmp

Download
memory/1504-183-0x0000000000000000-mapping.dmp

Download
memory/1792-173-0x0000000000000000-mapping.dmp

Download
memory/1936-132-0x0000000000000000-mapping.dmp

Download
memory/2224-171-0x0000000000000000-mapping.dmp

Download
memory/2296-177-0x0000000000000000-mapping.dmp

Download
memory/2664-156-0x0000000000000000-mapping.dmp

Download
memory/2912-157-0x0000000000000000-mapping.dmp

Download
memory/3240-175-0x0000000000000000-mapping.dmp

Download
memory/3296-184-0x0000000000000000-mapping.dmp

Download
memory/3436-161-0x0000000000000000-mapping.dmp

Download
memory/3620-182-0x0000000000000000-mapping.dmp

Download
memory/3936-155-0x0000000000000000-mapping.dmp

Download
memory/4192-169-0x0000000000000000-mapping.dmp

Download
memory/4264-134-0x0000000000000000-mapping.dmp

Download
memory/4340-135-0x0000000000000000-mapping.dmp

Download
memory/4668-186-0x0000000000000000-mapping.dmp

Download
memory/5004-181-0x0000000000000000-mapping.dmp

Download