fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe
Size

1.1MB
MD5

34e35c911a4ea707fcf1f1047c998a61
SHA1

ca9a16f65a67733cc1bdfa9c0ea4ececba95a80d
SHA256

fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0
SHA512

d8cb8b1e5e56ec79583f419d10ca7ec7c0d77e51b7b20403d6df1b61ab7c88545ec2a5ad6e0deede461b9aee191112f92a5cede951181bc1c067155cc6bd71d4
SSDEEP

1536:y01fkUy48TqafeC8KbxZDxX7mKtHEBr2h25NACTARjc7P8RvegSU0fh:118UyR+weCrFZDQKCr2h25NCj0P6vwfh

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3672 set thread context of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3bb1118d-9371-418f-bdfe-c60e0570e899.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221208031328.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4720	msedge.exe
4844	msedge.exe
4720	msedge.exe
4844	msedge.exe
2436	msedge.exe
2436	msedge.exe
3752	identity_helper.exe
3752	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 3672 wrote to memory of 5044	3672	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	78
PID 5044 wrote to memory of 2436	5044	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	79
PID 5044 wrote to memory of 2436	5044	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	79
PID 2436 wrote to memory of 1016	2436	msedge.exe	80
PID 2436 wrote to memory of 1016	2436	msedge.exe	80
PID 5044 wrote to memory of 3056	5044	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	81
PID 5044 wrote to memory of 3056	5044	fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe	81
PID 3056 wrote to memory of 3852	3056	msedge.exe	82
PID 3056 wrote to memory of 3852	3056	msedge.exe	82
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 2436 wrote to memory of 3572	2436	msedge.exe	89
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90
PID 3056 wrote to memory of 4168	3056	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe
"C:\Users\Admin\AppData\Local\Temp\fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe
  C:\Users\Admin\AppData\Local\Temp\fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87f4946f8,0x7ff87f494708,0x7ff87f494718
      4⤵
      PID:1016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
      4⤵
      PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 /prefetch:8
      4⤵
      PID:4032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
      4⤵
      PID:3000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:3148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6100 /prefetch:8
      4⤵
      PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
      4⤵
      PID:3636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7bc165460,0x7ff7bc165470,0x7ff7bc165480
        5⤵
        
        PID:2476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:8
      4⤵
      PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
      4⤵
      PID:2476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 /prefetch:8
      4⤵
      PID:2100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
      4⤵
      PID:3856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6694893870100841643,470295613509641627,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2996 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=fe1b0398a97686d5538a9922e81b4cc3518332bf479d5d644f801bfad14089b0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87f4946f8,0x7ff87f494708,0x7ff87f494718
      4⤵
      PID:3852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14526519907410836111,13754229437163044871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14526519907410836111,13754229437163044871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4cafe3cd531f459794e450da208159eb

SHA1
76ec72c8fa4e8d545c1fe49e50e64bad1df1e728

SHA256
2cc4061637c1712dd1658c501f40fce21f58743115b6ed8cff7d273fde53cca7

SHA512
a68160dc64c809f9486b4726b96ff8b673c04906015870503ae1e09ee924963d03c5e2320184a6f777403333a89444f5f2212f7ebe4e074bd4af6321ced72d1e

Download Submit
memory/5044-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download