c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe
Size

1001KB
MD5

55c0013dbdd7d48ca0a03958399a9de7
SHA1

73f9700da1b5ca83456ca2020277e22eb72a41ce
SHA256

c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2
SHA512

6841603a8b8beb5583cdcdebca31c246118d3f987a4c4aa19943120f309869bbef1184c57876aac41582ee1b666c90798ebd8b3bc78f6955057a1f31be6253c7
SSDEEP

24576:FM+u61EsuSwQ0siK3EkFZbmNrU0W0RWWuL8Z4:FMKnxlF3EkFZSgu1uL8q

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3932	v8.6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	v8.6.exe
File opened (read-only)	\??\Q:	v8.6.exe
File opened (read-only)	\??\W:	v8.6.exe
File opened (read-only)	\??\Y:	v8.6.exe
File opened (read-only)	\??\F:	v8.6.exe
File opened (read-only)	\??\H:	v8.6.exe
File opened (read-only)	\??\J:	v8.6.exe
File opened (read-only)	\??\N:	v8.6.exe
File opened (read-only)	\??\R:	v8.6.exe
File opened (read-only)	\??\T:	v8.6.exe
File opened (read-only)	\??\V:	v8.6.exe
File opened (read-only)	\??\X:	v8.6.exe
File opened (read-only)	\??\A:	v8.6.exe
File opened (read-only)	\??\E:	v8.6.exe
File opened (read-only)	\??\L:	v8.6.exe
File opened (read-only)	\??\M:	v8.6.exe
File opened (read-only)	\??\O:	v8.6.exe
File opened (read-only)	\??\P:	v8.6.exe
File opened (read-only)	\??\S:	v8.6.exe
File opened (read-only)	\??\Z:	v8.6.exe
File opened (read-only)	\??\G:	v8.6.exe
File opened (read-only)	\??\K:	v8.6.exe
File opened (read-only)	\??\B:	v8.6.exe
File opened (read-only)	\??\U:	v8.6.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\778fb7b6-b695-4376-9845-1f87814326ac.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221030070723.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2396	msedge.exe
2396	msedge.exe
2376	msedge.exe
2376	msedge.exe
316	msedge.exe
316	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
1648	identity_helper.exe
1648	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe
316	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3932	v8.6.exe
Token: SeCreatePagefilePrivilege	3932	v8.6.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
316	msedge.exe
316	msedge.exe
316	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3932	v8.6.exe
3932	v8.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3932	5020	c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe	82
PID 5020 wrote to memory of 3932	5020	c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe	82
PID 5020 wrote to memory of 3932	5020	c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe	82
PID 3932 wrote to memory of 316	3932	v8.6.exe	83
PID 3932 wrote to memory of 316	3932	v8.6.exe	83
PID 316 wrote to memory of 952	316	msedge.exe	84
PID 316 wrote to memory of 952	316	msedge.exe	84
PID 3932 wrote to memory of 3836	3932	v8.6.exe	85
PID 3932 wrote to memory of 3836	3932	v8.6.exe	85
PID 3836 wrote to memory of 5068	3836	msedge.exe	86
PID 3836 wrote to memory of 5068	3836	msedge.exe	86
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2700	3836	msedge.exe	89
PID 3836 wrote to memory of 2396	3836	msedge.exe	91
PID 3836 wrote to memory of 2396	3836	msedge.exe	91
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90
PID 316 wrote to memory of 2228	316	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe
"C:\Users\Admin\AppData\Local\Temp\c730ffdff5ebd938d879cd02e3965666796db55ccbc6ca8c6dd574f9998411e2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\~sfx00142ADE1D\v8.6.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx00142ADE1D\v8.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://us-cyber.hj.cx/
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffc930c46f8,0x7ffc930c4708,0x7ffc930c4718
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
      4⤵
      PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 /prefetch:8
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:3156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
      4⤵
      PID:4480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
      4⤵
      PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
      4⤵
      PID:2980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 /prefetch:8
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:8
      4⤵
      PID:3456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff61e105460,0x7ff61e105470,0x7ff61e105480
        5⤵
        
        PID:2992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11722131550378762511,17768608978172355818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6776 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://moeztro-h4.blogspot.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc930c46f8,0x7ffc930c4708,0x7ffc930c4718
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13372418624142419045,16381040870537223561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:2700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13372418624142419045,16381040870537223561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
32187a8c9387f0c55241cdd732062c4b

SHA1
7d820730a1f68f5d879e2514916755b0d2a86124

SHA256
b1dec3914cc64b7d0a0e9fadc0f43e73985682ceecf5f816e510986e7ee99900

SHA512
7f66ff3452fe1e10da0ff9a03a0cb8dbe540fd351bc3ce98c8627925c3efa39690557216fd2ef52a9e740f7b484b6961d2ba0e6bf73c28aaf3c6baf73a62e8da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
bb0610c0b026627c7a646f3579c6f4e7

SHA1
b3c8ebed7df775ac2a441e032fb6cc98d7704f8d

SHA256
f23e0b6991e94325fef32f951f793f601721e738e695d0cd02d1d6d7d885ee59

SHA512
3d773374e2c474a368e647755ba85a40e976f0e80f93790d84fc07d200b5d1981bdf58628e15520d35e225926edfe77d025af1d20e30e476ae4a8525a046d887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b544e07ead1fa308e42f0881cc72b0fd

SHA1
1d8a30537d5c1de110fa6cd4cca05bddf85bf65b

SHA256
68af81877425eec7a137efbfe11e630605c94f1267ff042845cd23254eb31076

SHA512
92a62dc80337cd1ab31cd2e7d5c166d54659d682ecc656c1e39528e20baefd176822fd3b4161fdae95178a2862247b6a135f4fda62bce9e94460ebe1d0e15337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3b878f59fb32f13ef7102df6f0293da

SHA1
da13546cb418455bea614a445d06d51d2a0534c5

SHA256
dd182373cf6d8567a2e0cfe3a05ef4f74255473cd5008d0f1d0a0044b512ef63

SHA512
e964ab2ab4441509672802cfa761a25049e9d40a68fcc65f21c27fe344b8bbae20092dfeb054900c4a1e391882a6b8d54a9b89cce21819df2f4850b6e8ced8a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b544e07ead1fa308e42f0881cc72b0fd

SHA1
1d8a30537d5c1de110fa6cd4cca05bddf85bf65b

SHA256
68af81877425eec7a137efbfe11e630605c94f1267ff042845cd23254eb31076

SHA512
92a62dc80337cd1ab31cd2e7d5c166d54659d682ecc656c1e39528e20baefd176822fd3b4161fdae95178a2862247b6a135f4fda62bce9e94460ebe1d0e15337

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx00142ADE1D\v8.6.exe

Filesize
196KB

MD5
23b71f1b61c2f5b6820590ec55584d27

SHA1
ba4f86a7c3aa84f7db7ffef2d4028683fa243804

SHA256
6d4745232981dfed45e4aad4de2663dda0f59e376b13d6a94a2327160f321680

SHA512
a2c4d571251a610df1ad4be36a47272d3b44d8be057a17683b6c89d2bbcf4436d23199b3cdb8e3caf8d5fbb1fd0098d23c1ea52c468cc4ca63b654b69df0b18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx00142ADE1D\v8.6.exe

Filesize
196KB

MD5
23b71f1b61c2f5b6820590ec55584d27

SHA1
ba4f86a7c3aa84f7db7ffef2d4028683fa243804

SHA256
6d4745232981dfed45e4aad4de2663dda0f59e376b13d6a94a2327160f321680

SHA512
a2c4d571251a610df1ad4be36a47272d3b44d8be057a17683b6c89d2bbcf4436d23199b3cdb8e3caf8d5fbb1fd0098d23c1ea52c468cc4ca63b654b69df0b18d

Download Submit
memory/316-138-0x0000000000000000-mapping.dmp

Download
memory/860-183-0x0000000000000000-mapping.dmp

Download
memory/952-139-0x0000000000000000-mapping.dmp

Download
memory/964-156-0x0000000000000000-mapping.dmp

Download
memory/1516-159-0x0000000000000000-mapping.dmp

Download
memory/1648-185-0x0000000000000000-mapping.dmp

Download
memory/2012-167-0x0000000000000000-mapping.dmp

Download
memory/2228-151-0x0000000000000000-mapping.dmp

Download
memory/2376-152-0x0000000000000000-mapping.dmp

Download
memory/2396-149-0x0000000000000000-mapping.dmp

Download
memory/2700-148-0x0000000000000000-mapping.dmp

Download
memory/2792-177-0x0000000000000000-mapping.dmp

Download
memory/2972-173-0x0000000000000000-mapping.dmp

Download
memory/2980-175-0x0000000000000000-mapping.dmp

Download
memory/2992-184-0x0000000000000000-mapping.dmp

Download
memory/3156-169-0x0000000000000000-mapping.dmp

Download
memory/3836-140-0x0000000000000000-mapping.dmp

Download
memory/3932-132-0x0000000000000000-mapping.dmp

Download
memory/4480-171-0x0000000000000000-mapping.dmp

Download
memory/4612-165-0x0000000000000000-mapping.dmp

Download
memory/4700-161-0x0000000000000000-mapping.dmp

Download
memory/4788-186-0x0000000000000000-mapping.dmp

Download
memory/4960-163-0x0000000000000000-mapping.dmp

Download
memory/5068-141-0x0000000000000000-mapping.dmp

Download