862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
Size

800KB
MD5

2d07681ddf6af723c20def42d3165d60
SHA1

a14aa948c8fa080171d11fce3fa8513f9b20c675
SHA256

862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c
SHA512

a4cb0754d05696b05c883c37c33d2bdc2bbed2474164fd93b30390bbda1b673135bab59130909f3a54672e9fa888ee517aa81641d1f60b2446407b0e24d4c075
SSDEEP

12288:29X6FafsJfzi+BEoNGwCAS8+pG6ax9wGbg7:29safs9iME6Gwcvax9lbg7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1280defa-b3da-4e60-9f18-c6fab4a1ebe8.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221121143005.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2520	msedge.exe
2520	msedge.exe
2004	msedge.exe
2004	msedge.exe
1780	identity_helper.exe
1780	identity_helper.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2004	4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe	81
PID 4260 wrote to memory of 2004	4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe	81
PID 4260 wrote to memory of 2124	4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe	82
PID 4260 wrote to memory of 2124	4260	862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe	82
PID 2004 wrote to memory of 4208	2004	msedge.exe	83
PID 2004 wrote to memory of 4208	2004	msedge.exe	83
PID 2124 wrote to memory of 4224	2124	msedge.exe	84
PID 2124 wrote to memory of 4224	2124	msedge.exe	84
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2124 wrote to memory of 1780	2124	msedge.exe	86
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85
PID 2004 wrote to memory of 4368	2004	msedge.exe	85

C:\Users\Admin\AppData\Local\Temp\862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe
"C:\Users\Admin\AppData\Local\Temp\862fd2d95e0953037fa01b828db52c2f9aead801236a4c566a735de05119a21c.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.110ak.com/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc96846f8,0x7ffbc9684708,0x7ffbc9684718
    3⤵
    PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
    3⤵
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:3380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 /prefetch:8
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6d8635460,0x7ff6d8635470,0x7ff6d8635480
      4⤵
      PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
    3⤵
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8533975334219295428,7228555746382344420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5616 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.3gnx.net/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffbc96846f8,0x7ffbc9684708,0x7ffbc9684718
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11028393921446373577,13667114806535370857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11028393921446373577,13667114806535370857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
ecb87368f85105e00f78c93851b1e892

SHA1
e02cffe43f3456ade7903835b9fd502b83f8e276

SHA256
9a95736da4b630780631055479c124c83cc00ff510c102112a2f89b4da3bd0e6

SHA512
cab91df44495c0f622b47cc07788ad71c7c792c362c7fb2738090d977c00aa18366faa1971cbd4d956d62fd3d4d455ea0012a5aa1421719a15cc51717ea5afe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
06f3ebfad0a3e3871e797ad0e9064aa4

SHA1
7206d9f8a27924a68d2127c2212c24ff0c826111

SHA256
c1f898424f0b084fd3eb18aea16a07f01f442ed161b762c43514222a1acd6e70

SHA512
2b2456a4969dbc31c099195662d01cb72e448edb5bfb484b269d8987d0e90e9828801a9fbd50b7c328baa20fed0b945119582b4baab8961223dae6e416fbebdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2a4284e608caf518daba513f24a5aedd

SHA1
be43a8028ab4487087523873392861c484ef9295

SHA256
d18e250f4f97e1e5e53bda7d322c2aaabb21766fc9f1377b97903b974a2ab9b9

SHA512
e7b3542b994b49ee7064a04586fc079c7c131f35c9ae7a8c7770b4694094739b3c4f1074e8dd8b183413d2786e926b57691129dd27b525b8c18867bae4c57ff9

Download Submit