a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe
Size

3.0MB
MD5

35ac21a74211e13efdbc677d0c6572ed
SHA1

c7d661e8d9ec1f60e0430e37991d90ccd956bd67
SHA256

a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5
SHA512

30790205c08b038591cf40c46f299099cfe9dbce048d64ba03116aaf6f49aebf4e620829354570b404726b0013fba320619ecb00196ed499f02ac8b04f226983
SSDEEP

98304:xCOZlaG9IP5hZKu11lqG43LfXtXnd5L7:qGc5jF1qG4LXtXdt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe
4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe
4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
1628	msedge.exe
1628	msedge.exe
3212	identity_helper.exe
3212	identity_helper.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe
4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4796	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	84
PID 4716 wrote to memory of 4796	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	84
PID 4716 wrote to memory of 4796	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	84
PID 4716 wrote to memory of 1540	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	85
PID 4716 wrote to memory of 1540	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	85
PID 4716 wrote to memory of 1540	4716	a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe	85
PID 4796 wrote to memory of 4404	4796	rundll32.exe	86
PID 4796 wrote to memory of 4404	4796	rundll32.exe	86
PID 1540 wrote to memory of 3296	1540	rundll32.exe	87
PID 1540 wrote to memory of 3296	1540	rundll32.exe	87
PID 4404 wrote to memory of 3152	4404	msedge.exe	88
PID 4404 wrote to memory of 3152	4404	msedge.exe	88
PID 3296 wrote to memory of 1296	3296	msedge.exe	89
PID 3296 wrote to memory of 1296	3296	msedge.exe	89
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 4552	4404	msedge.exe	91
PID 4404 wrote to memory of 1628	4404	msedge.exe	90
PID 4404 wrote to memory of 1628	4404	msedge.exe	90
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92
PID 4404 wrote to memory of 4412	4404	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe
"C:\Users\Admin\AppData\Local\Temp\a357b7e87afed8a911877c0f4e3bf98882bf2e8f3fa2668102abf125eabe4ed5.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler http://97wg.taobao.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://97wg.taobao.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb3c3246f8,0x7ffb3c324708,0x7ffb3c324718
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:3220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      PID:1760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
      4⤵
      PID:760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
      4⤵
      PID:2068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14745060429505707967,12111969652215398949,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:724
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler http://88888888wg.taobao.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://88888888wg.taobao.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3c3246f8,0x7ffb3c324708,0x7ffb3c324718
      4⤵
      PID:1296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,5157257656395269004,15290213433628219145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
      4⤵
      PID:432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,5157257656395269004,15290213433628219145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
451fddf78747a5a4ebf64cabb4ac94e7

SHA1
6925bd970418494447d800e213bfd85368ac8dc9

SHA256
64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d

SHA512
edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
6c7316edba8fe339dd704859551276c8

SHA1
992138390738f640e1a064e1bdf04610e03b4230

SHA256
acb9640abfce1eea28967354e95cbeb7e406e166c674de167d62c44a9341a5f8

SHA512
ea1e30749195981935df47ab1b7454366601a9c2cd1585983c9611c14b1916446b246d279125cedea44da6da56b99bd1678a9c2aaba0c4bba16c9b77cb872603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
790B

MD5
73553bfe26a96bb1bfe90272a540de0d

SHA1
a71a0b24c82b690ed59b708e9d8d471753c75109

SHA256
9364f7e825d42e639496c31b93b1aef05fc80c911f05df663d393b49429939b8

SHA512
e74a3c579da29f17a4f2d5e131c138f26ebf9a3268e5ec990b5fe497098ac7cdac9595468cf9a104482f410e6fffacf7c988afde637e60705f2848fdd2832212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1dd56af6e438d6397a4a565dd00a131c

SHA1
5d13be032170d75a7df283247665af19fd93bc01

SHA256
18f27bdc36614b9fef040370de52e6468de0ff29c94d02b185fdaf0386e9b1e6

SHA512
67c3d74f1a2076438d18fec8a9243fdf557913a8fc7b16c7721a1139098bc28a9814dce9311b0db9920dad8bc96e67865796fcc560a012959c2f4ca801780425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
003f74cff1316b498ffb402b0c60ec9b

SHA1
8c31fc65e037688655e5c37774f4ed02c6597585

SHA256
13278dc277c9c8e33f2986f78d8562f41e5ba9b6c63d44a64cdefe098e6635ae

SHA512
17825b7fdab43eae65b692486f712489dbd68df210c5fc4ab8140d5bae7a85b140aee1be50a2a06d93d9bdc648b921544ea0c3853a7cc63cde9f65e01d2cc9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34e06fd5d3f5eef8d4ffb3b09e3055e0

SHA1
574177130804eff55d10bbc57ad3267747aa0a80

SHA256
6ecd0814b9d96e758fc466f80d6bf6ae1dc71b375fd264bd76df8cebee20c789

SHA512
331b59adf0bb846de1a2743f04c236c27c6e79d03a0a445c87ac86bb4724e182d9f525289b6684b883ce20ad383124c0acca1b8f60bc64385da1a046e5e140c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585dbb.TMP

Filesize
540B

MD5
3a5c8a6976bb30124be3554d49186fde

SHA1
da7036f35a99223a0e84d73ea3e0fa9711d0e09a

SHA256
a4d3790850cc7f8a9a32c7f5dd70091a5adc5ee33798a0b21a3832fb4da2dc51

SHA512
ad28a2026d26736ddcee0369b574c1ebee377f2ba1139a4ddf93ac0469027fa2ce02545c2cad27922106c6412a07363ba00b40d29e226a5a2edeea12b05fa843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ac917024-75d9-4ff9-8ab4-6442bb67a4b3.tmp

Filesize
5KB

MD5
9925039d43fd4c5040701c987ab6b479

SHA1
61cfb2ce0ba02d5039c80edd692848ee90edf6cb

SHA256
0e00a213c41af3c71121d42ef5e7ee865ab88822d27d868e20648cd863c9daed

SHA512
f2d418ad5635d5401f07f0ba8a8eeedba1358f38ebabbe7355befa7f6611862bcb6208e83d8816e7ff88ca3f25c1711d4ffc720f92db03274a2cd9f46c862a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
df04984d508248fa87e3fb094332dfed

SHA1
1d85ec801a3c4bf5abc7693ba3d1ce864c1a8cae

SHA256
dbc73856ca115d015f8c0d176b42cd6ecf88d0fb0d7bc27ddb57ee5f6645bc37

SHA512
b3899f71aca012b3b9de67a8377843d3938f63af937f6948a69e1e253725f3fbaadf96268b0514417c1afb5912e6d067f6836d3e716c4a4439364506cb8ee850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
df04984d508248fa87e3fb094332dfed

SHA1
1d85ec801a3c4bf5abc7693ba3d1ce864c1a8cae

SHA256
dbc73856ca115d015f8c0d176b42cd6ecf88d0fb0d7bc27ddb57ee5f6645bc37

SHA512
b3899f71aca012b3b9de67a8377843d3938f63af937f6948a69e1e253725f3fbaadf96268b0514417c1afb5912e6d067f6836d3e716c4a4439364506cb8ee850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4b80886584f18e496aa68f2ec4124032

SHA1
368b9e61eb9896e654052f1bc0af1bb788c25931

SHA256
0fe4d8fda64da8f21f69083b432509abb09047eeeee665ddc4b9a7f8883d8408

SHA512
a521937a2bfa105c4e9264af5f5bdfd00b1fcc2a208e8408e2a878f8917bc7ea6462f3864c0d311f9f2fb7c75d5f65ea04c81c95f3525ade60a37d5555e1693b

Download Submit
memory/4716-0-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4716-176-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4716-64-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4716-17-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4716-2-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/4716-1-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4716-272-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download