1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe
Size

60KB
MD5

0356427de68422073f59a3d288efc330
SHA1

1eec2e7ebc3b9f578718ec56c1dd37f60f3ad6a1
SHA256

1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d
SHA512

05b059d2ef45fbad06e556037185f073515aacae06bcf3bae748dd777786913c840b860aaca49ed3485666638ecf122d879fd6be013b39636c0850c946104073
SSDEEP

768:iVutBMNT83V/nOPEgXK4/soWDjTwOWOCmjR0DMlDBviXCn17IF3cqqbCW2w9XF7D:U6uapN21/skOW7mVfDqy7ICosXRMYX

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6F30EF76-EA16-4BD6-B222-7E1239583769}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B24CB3C9-A96F-46FB-AF2D-89C1434F5FD8}.catalogItem	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\397abcdf-b8d7-4e90-b508-15984ed59168.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130180200.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3196	msedge.exe
3196	msedge.exe
2488	msedge.exe
2488	msedge.exe
4684	msedge.exe
4684	msedge.exe
1160	identity_helper.exe
1160	identity_helper.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
4684 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4684 msedge.exe
4684 msedge.exe

pid	process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

pid	process
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1152 wrote to memory of 4544	1152	1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe	msedge.exe
PID 1152 wrote to memory of 4544	1152	1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe	msedge.exe
PID 4544 wrote to memory of 3560	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 3560	4544	msedge.exe	msedge.exe
PID 1152 wrote to memory of 4684	1152	1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe	msedge.exe
PID 1152 wrote to memory of 4684	1152	1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe	msedge.exe
PID 4684 wrote to memory of 3452	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 3452	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2164	4684	msedge.exe	msedge.exe
PID 4544 wrote to memory of 2072	4544	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe
"C:\Users\Admin\AppData\Local\Temp\1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7cb446f8,0x7ffd7cb44708,0x7ffd7cb44718
3⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5501479989971341109,15620926432995575742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5501479989971341109,15620926432995575742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2772 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1339d85f5100e10b48b4fc797e260c5db01e2b164c415896f49d0cb8599f821d.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7cb446f8,0x7ffd7cb44708,0x7ffd7cb44718
3⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
3⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
3⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
3⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
3⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:8
3⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
3⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
3⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 /prefetch:8
3⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
3⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
3⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
3⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7b8235460,0x7ff7b8235470,0x7ff7b8235480
4⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1964 /prefetch:8
3⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
3⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
3⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
3⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6784 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,3503405705167933800,3459464738557941583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
3⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
df0623444ea388107880401724fc0861

SHA1
82697f864f2da4c0d6e218b206901d8acfcd388e

SHA256
850aaa3c1d52a8daa3f56567be074f6fdf7358dd01c33268005747e78a19c667

SHA512
f214c68856d4dec4a3748d92c81b3dcba3be9a1a5335200cf1b9f35a51a60d6c022a7e18ada0f3e353f686bc645d28dcfe1508cdcd4bd3862fbdb5df8c84695f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
302ccc431609cad913893a5762258293

SHA1
c88d15ce7198f7296e281fd342d621618a1eddb9

SHA256
3963c5a71bd7299478ffdb264b1e8d812aa9598d8d74413ab29268a0545fccb5

SHA512
520870fd7d55484064ec7950fd74646140a240cec3261691807dbb857f2a6285d587ebfa34a70d122f9cb9b5d59ca0441e965648eb592333d90fa29ef7f42b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
442B

MD5
12d07c56b529e1dcb9df40587b7adf94

SHA1
e2baab32804da14c582570134482b697d7d150e4

SHA256
c0fe94bde8831dfdc2e74fd2958cd2a0e3f33d36a8c65def3379078a89582409

SHA512
c9b3b83d4a405a5ee28b0aa406dd8f8421f88b56dbe6fef71a3d3bab98ec709d99550a13d4ced6d5661db344300e4290f49cc3780f04c2870fba6387ace71654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
442B

MD5
12d07c56b529e1dcb9df40587b7adf94

SHA1
e2baab32804da14c582570134482b697d7d150e4

SHA256
c0fe94bde8831dfdc2e74fd2958cd2a0e3f33d36a8c65def3379078a89582409

SHA512
c9b3b83d4a405a5ee28b0aa406dd8f8421f88b56dbe6fef71a3d3bab98ec709d99550a13d4ced6d5661db344300e4290f49cc3780f04c2870fba6387ace71654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
ab895b9bcf954d194d956032a934efcb

SHA1
a012c5d8b9980cb28abb2649d11dc2045bb4ea25

SHA256
1b74d12bf62f9afe626593e2f9f2396f43b1afb6a50e9092bc2087f53460c3d6

SHA512
e038e5dcf44eae1e1090bec2c6d311637324d4bba8e274666b1f393a58581341d3da40f152e2ce404a351c7a4af96f2fb97d713f4776784b07471aa0da45f707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f0962fd596c03fe64b7058e0c7f23d29

SHA1
57541bc8523c45e1b0ee548e86e450d67ef82e26

SHA256
83f294b0dd0a50601ef93e3ddcd90fbe865ca6b9ae766c0cee2f57046edf54a3

SHA512
de1edb593f4e99d0ce9f40260b1343a1b48df5090ceb6d7ac8cacf8721b6d1b8426139fe8681bec8fb39f64160f7d563a6e1928974107ddf7b9591934a22fb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
89c77529a2539f0d9dfef5c1e733a7d1

SHA1
b038d4151c235d4641c360be99e861305d847dc6

SHA256
8bf48eabe410fa32a8514f11aee33bd32dd5239680a741308714e95aa55b0f62

SHA512
f4bbb205f03dd82f690e4c76885bfcdbb0195a61d30349b4f74f31c41fd38f6fd06e8cb41761882fb5356cc440a1124ba27c42494df892f20d7110bf719bd799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638054212936815375
Filesize
4KB

MD5
d99103e07b489816c567d95294f9424d

SHA1
579593695c2eb99ff6eafd790ba9f0d29444deef

SHA256
08281b47fbffec8fd0b0ad0caf5a0a49aab54ad07c3bfe2212337c8878094372

SHA512
a91492d3051a8dd7f8a7ae001a39e25b3b0539e1e0cf630f53ff9e91edcd9553587826aff7ee348c6b45369bc50b982797e3b9370bddbb1bf9869c4852a319e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
\??\pipe\LOCAL\crashpad_4544_QOBSXQTAUXNMNHZG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4684_JAOVLFFAKDMZHWRI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-191-0x0000000000000000-mapping.dmp

Download
memory/384-182-0x0000000000000000-mapping.dmp

Download
memory/1064-194-0x0000000000000000-mapping.dmp

Download
memory/1160-185-0x0000000000000000-mapping.dmp

Download
memory/1620-196-0x0000000000000000-mapping.dmp

Download
memory/1700-183-0x0000000000000000-mapping.dmp

Download
memory/1936-165-0x0000000000000000-mapping.dmp

Download
memory/2072-142-0x0000000000000000-mapping.dmp

Download
memory/2164-141-0x0000000000000000-mapping.dmp

Download
memory/2172-176-0x0000000000000000-mapping.dmp

Download
memory/2356-162-0x0000000000000000-mapping.dmp

Download
memory/2488-159-0x0000000000000000-mapping.dmp

Download
memory/3196-146-0x0000000000000000-mapping.dmp

Download
memory/3212-184-0x0000000000000000-mapping.dmp

Download
memory/3268-193-0x0000000000000000-mapping.dmp

Download
memory/3376-169-0x0000000000000000-mapping.dmp

Download
memory/3452-135-0x0000000000000000-mapping.dmp

Download
memory/3536-187-0x0000000000000000-mapping.dmp

Download
memory/3560-133-0x0000000000000000-mapping.dmp

Download
memory/3640-178-0x0000000000000000-mapping.dmp

Download
memory/4304-171-0x0000000000000000-mapping.dmp

Download
memory/4484-174-0x0000000000000000-mapping.dmp

Download
memory/4544-132-0x0000000000000000-mapping.dmp

Download
memory/4684-134-0x0000000000000000-mapping.dmp

Download
memory/4708-180-0x0000000000000000-mapping.dmp

Download
memory/4904-189-0x0000000000000000-mapping.dmp

Download
memory/5068-167-0x0000000000000000-mapping.dmp

Download