aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856

Analysis

max time kernel
251s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Size

2.5MB
MD5

2ee2dcfd41f96665deb8214a3fffd992
SHA1

d76bd65f8f2a6863e1fa812f7f7622ea6932bbb2
SHA256

aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856
SHA512

d7263a9eadad18bd7ad59c7c6fd5d56c053e68404436e2c47e9768621738ca69ca7d8c6f33988318add791e8cdbc2fc27fd2a9668310be06ecce6a952d71fb29
SSDEEP

49152:SWdAy94jw/2/rVWDWIcNyukOGGPzSo1ScLEGqhDbwb:SWGXk0SaczOG6GOpavw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com\ = "0"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com\ = "18"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com\Total = "18"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "yes"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com\NumberOfSubdomains = "1"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\uniregistry.com\Total = "0"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\uniregistry.com	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{8A710886-4E39-4433-9C5C-28D55AD3552C}	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{FCCF8131-8F75-41D7-8876-A822235D135B}	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4820	msedge.exe
4820	msedge.exe
1328	msedge.exe
1328	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2520	4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe	92
PID 4244 wrote to memory of 2520	4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe	92
PID 2520 wrote to memory of 1580	2520	msedge.exe	93
PID 2520 wrote to memory of 1580	2520	msedge.exe	93
PID 4244 wrote to memory of 1828	4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe	94
PID 4244 wrote to memory of 1828	4244	aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe	94
PID 1828 wrote to memory of 2732	1828	msedge.exe	95
PID 1828 wrote to memory of 2732	1828	msedge.exe	95
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 2220	1828	msedge.exe	96
PID 1828 wrote to memory of 4820	1828	msedge.exe	97
PID 1828 wrote to memory of 4820	1828	msedge.exe	97
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98
PID 2520 wrote to memory of 880	2520	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe
"C:\Users\Admin\AppData\Local\Temp\aa370b5b3c82fd19a42eb7c376187df1be1cec7aae41013204262ac8f39f5856.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.thundercheats.com.br/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa13ba46f8,0x7ffa13ba4708,0x7ffa13ba4718
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
    3⤵
    PID:880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
    3⤵
    PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 /prefetch:8
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
    3⤵
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
    3⤵
    PID:520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,4392666898860878668,1768314960261673432,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 /prefetch:8
    3⤵
    PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gchka.blogspot.com.br/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa13ba46f8,0x7ffa13ba4708,0x7ffa13ba4718
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6419761567405313974,10374061469989707421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6419761567405313974,10374061469989707421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
9ceaca4cb8ef58c136bc60ee56c3973c

SHA1
7f10267b56f9d43eaf808d52e468cd8cfc5782a5

SHA256
47239a8c36e103def8d29ddc41dd43e5e96b3e719df036e938296e2c960decb0

SHA512
3b76b46742ccce7ba1acef48007b317b4af3210275183b7f377ebdc38368271c599e384b233d125f5bf166fc6e4e47b109c363e2026db1ce68db749d4cb405b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
59d2f5c515d0bc8ba836e4fba9e11883

SHA1
e534b831bc0704e8c6cc9e8e4969414bf2bb8c58

SHA256
cc33acc0a4f415f4ffcae21a90d688fdc559a9e031eec0291b79343e3b1a109f

SHA512
142c40e568c554d22deb3c9523108d73970b28e7b576f2024b7c688f46b71ee1b4cf56e3a3eb7d80b372e0218c3cf25e4d84134efdb47c8e8ad3e18462783bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
302ccc431609cad913893a5762258293

SHA1
c88d15ce7198f7296e281fd342d621618a1eddb9

SHA256
3963c5a71bd7299478ffdb264b1e8d812aa9598d8d74413ab29268a0545fccb5

SHA512
520870fd7d55484064ec7950fd74646140a240cec3261691807dbb857f2a6285d587ebfa34a70d122f9cb9b5d59ca0441e965648eb592333d90fa29ef7f42b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2

Filesize
472B

MD5
608e4d04a251ebcd51660e801f388303

SHA1
fcb9aa48fd6ed504a1a9fed7990c5ccde63e6a1d

SHA256
cc1a34cd0a99e301df97cf184ab0ded2e229659f86f43e4eff479dee221695dc

SHA512
6bf5788982bacca8c9a9b596a6fb719e0707d26e966c83a4e668766dd55e08a1ccba61ec691392e863d4e8a354b308351ca45c42df9abb4a3e51f3164f3e1b8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
72a3cab2118471e6d10b27b4afb47051

SHA1
ceff0e88b44aec8c61d000f96f37f9163be1d539

SHA256
c3e4861bd252eac9957f2fa05a44b97fc1796f8c286f6a104f359e60234e811a

SHA512
707fb13141bd72162cf345b160517623a85b4b44ac081998cf6236de3307c68f9369c0c8d277ce873c8bcc787615b868da5d54f8c114fc462c5e5c87062e079a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
246B

MD5
02e3255b61eee5fd111c170037d62fba

SHA1
80e5d265eaa6d0a4e85fef251ce48f631b457c05

SHA256
4167ff2ae1fdffef611e0b8f4f1306dd3e505c1161ed7afad7c929352cb63623

SHA512
656062f6e5648c1197747f6b340aa1203e3f480857ff925e96210997c6da5c05a1d8f991a0a3d905f8dce9f16baf75170375472a62680c938284108777c3109f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
302e93b5c9b5028f238dcb24cfdbd7d5

SHA1
89c4c8e06d064547da12239bdcc2e624522d3986

SHA256
167d8ed8ad6d4543bab651e64e03c3f0539b523fbe701671c26e4e10756de9d9

SHA512
831c95146ba543ae131f8c377befb958a14a08984acdc9add8e6285207f848e1843b473ce57a4285355c5cb6362c608c25229a93413da84c0055f605df4dcf1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
cedcf7973fc3b81cc08ab10ec7f31495

SHA1
3d1517c627925f7ec59d52bd9940a6975d9518a2

SHA256
6b65c89fbce6ae48f43b9ae4db3c1447c35d7130cdeaa6730e287cb2945a0bc8

SHA512
a4fdce7d4c765df0c1f62e9a2824ecd782ef6387ec5811ac8295a894ccb7da0e80ab5824c7bd7c55954fc6ecf79c4667d38b00faceaeb09e7864fc7870ab1e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2

Filesize
410B

MD5
63a0ba57cb7284932b17c45568be5ca1

SHA1
18da2bb7c52d00cfb820efe6da083de08bb32aa5

SHA256
adffff3ec03398b31b54418a090c7e291758a0b48f6381c31638cb110211ce25

SHA512
4cbe9c23ef762f446060c097896b30568f032f71d51a646a288116df5ed11c378aa02d85002bbf17473c130eaeaeb9c5e6d70f9bda24ad33fa891d9a2b8a20c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1c1d3be4202ec830f9ec03860d5f19a1

SHA1
21ef22172495a6bfc2b6790e661f908a7af4bdd7

SHA256
e156dd69c519fcd3a16531e9957867b91dc6f7a7d26bea767a4c3553f46db362

SHA512
9ef6bbedb2451873124ce47994ee7749b5b07601975fd5a37e4618cacf64e50cde37e0427866522257e546f4d94b467248514a26744d42cfa7ebc55ad36c3003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ae44bd28fe3f0b5550e0999236a215e7

SHA1
34fa80363c78bb2b696183afc6f667454af7c323

SHA256
306d233d49fdd2d555d1fbe1dd4daf9e99103d6179b35f0281f6319ba7069eb5

SHA512
10e52c1e5943ad50428e8a9553c0c6735cab0f8d980fee47cace71385f58a8be74aa16086496b7489b5129c7617a08d96cb0c9648d188b26c7bbc7f592cb42b0

Download Submit
memory/4244-132-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/4244-133-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download