a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
Size

477KB
MD5

07516906e428d39bf512ddb6c3a74d65
SHA1

318f172f936c9b11bc060219951053909ac20520
SHA256

a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa
SHA512

ae0d89966fa9242850a9e6ef09a4ff0313f3f0156bcdd6ad6d39ddfa3bbda7e77882d0b7558e4112c3648e02f2695d558d031294a1d4e8c817055d1049393ab2
SSDEEP

6144:cyOBfkBSFNkquurci6T+uBSa83Y4Ma/Bk2MyuBqPCS+GPCXATD6eppMnRPWAN2Iz:iBfkckkz6T+uBLpwPCX+6eppMnRNzGfY

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\F:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\G:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\O:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\P:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\T:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\E:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\M:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\N:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\Q:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\S:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\Y:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\Z:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\A:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\I:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\J:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\K:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\L:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\R:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\V:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\H:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\U:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\W:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
File opened (read-only)	\??\X:	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7afad232-916c-4ba1-91c2-c3f0e94eedab.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221209144612.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\msew_02q.css	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
4860	msedge.exe
4860	msedge.exe
444	msedge.exe
444	msedge.exe
3352	msedge.exe
3352	msedge.exe
3428	identity_helper.exe
3428	identity_helper.exe
1896	msedge.exe
1896	msedge.exe
1896	msedge.exe
1896	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
Token: SeCreatePagefilePrivilege	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3352	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	79
PID 4292 wrote to memory of 3352	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	79
PID 3352 wrote to memory of 1880	3352	msedge.exe	80
PID 3352 wrote to memory of 1880	3352	msedge.exe	80
PID 4292 wrote to memory of 208	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	81
PID 4292 wrote to memory of 208	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	81
PID 208 wrote to memory of 4004	208	msedge.exe	82
PID 208 wrote to memory of 4004	208	msedge.exe	82
PID 4292 wrote to memory of 2636	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	83
PID 4292 wrote to memory of 2636	4292	a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe	83
PID 2636 wrote to memory of 3716	2636	msedge.exe	84
PID 2636 wrote to memory of 3716	2636	msedge.exe	84
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 2636 wrote to memory of 4660	2636	msedge.exe	87
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89
PID 3352 wrote to memory of 3840	3352	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe
"C:\Users\Admin\AppData\Local\Temp\a5fcf1f76a427539103b33859bda936890defc70c9c85710ab6b125858841afa.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pekalongan-community.com/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd790146f8,0x7ffd79014708,0x7ffd79014718
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:3840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
    3⤵
    PID:700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 /prefetch:8
    3⤵
    PID:1320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
    3⤵
    PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 /prefetch:8
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
    3⤵
    PID:2040
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:1488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x104,0x22c,0x7ff655245460,0x7ff655245470,0x7ff655245480
      4⤵
      PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8079368497462809411,8909910905530021239,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7068 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://adf.ly/FT4JE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffd790146f8,0x7ffd79014708,0x7ffd79014718
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,4370978050043316792,13249288347474943366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,4370978050043316792,13249288347474943366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pekalongan-community.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd790146f8,0x7ffd79014708,0x7ffd79014718
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13397762733241245324,11898042485054978860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13397762733241245324,11898042485054978860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3f683acb048f9ac2e726e0e02f30f77d

SHA1
236b3e1f9d8e2d462d69941233d941c805a1ab65

SHA256
e647c6adc950ce1f788b65da667926f22d3a21eef5d1ef57132c181781c00b3b

SHA512
fbf00efcebc6112820840986773c878adc02dc50463edf4ffe81dd3a46f058f0d0a8af361a30d0f668383e43c0276169b01170c1744b2fb0c779e7f65960a97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c41507badebf25c8839bdbe24f52a3e4

SHA1
c8354e505dc4b1ade6eb193f00cc13332c164ed9

SHA256
adebfc81ba25b2c1c2aa9f24921a48bf3be230221b181dfba118e6ee58a07491

SHA512
ec7e4f08a967bb568a9fd758cfff1e0bcb9ee6e8c3adbde2cf2dff1f361c3df0e667cdcbb5c1c524515b3e3d42e854fc0e615fc539bd8705634bc21f2b7c1ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c41507badebf25c8839bdbe24f52a3e4

SHA1
c8354e505dc4b1ade6eb193f00cc13332c164ed9

SHA256
adebfc81ba25b2c1c2aa9f24921a48bf3be230221b181dfba118e6ee58a07491

SHA512
ec7e4f08a967bb568a9fd758cfff1e0bcb9ee6e8c3adbde2cf2dff1f361c3df0e667cdcbb5c1c524515b3e3d42e854fc0e615fc539bd8705634bc21f2b7c1ddc

Download Submit
memory/4292-132-0x0000000000400000-0x00000000004AC550-memory.dmp

Filesize
689KB

Download
memory/4292-188-0x0000000000400000-0x00000000004AC550-memory.dmp

Filesize
689KB

Download