4602913c7a50dfcb5994d0eaeb48694cf49bee5fbbe6e07616dbbcbc8b35b580

Analysis

max time kernel
1728s
max time network
1695s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XAU.exe
Size

7.2MB
MD5

d05c39455a6036a89bc112f5c6725835
SHA1

f326017088ff881f75198fb7876e42d762d41ee2
SHA256

4602913c7a50dfcb5994d0eaeb48694cf49bee5fbbe6e07616dbbcbc8b35b580
SHA512

9916a3df52f09f29e76ed442247a53e3887fbbb2c6697acfcb7b8e79045ad8d938824ff400142aa0344c0791d4ee62c1a974fb09af2f698cd5e58c44972bea2f
SSDEEP

98304:e5jj7mOYoXyI/PLCvSmaRT+BcPNRZ5h5AHDfyRr8l5L:e37mOzyQNNRZy

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 15505.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
4536	msedge.exe
4536	msedge.exe
2992	identity_helper.exe
2992	identity_helper.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4536	2208	XAU.exe	98
PID 2208 wrote to memory of 4536	2208	XAU.exe	98
PID 4536 wrote to memory of 1988	4536	msedge.exe	99
PID 4536 wrote to memory of 1988	4536	msedge.exe	99
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 808	4536	msedge.exe	101
PID 4536 wrote to memory of 2800	4536	msedge.exe	100
PID 4536 wrote to memory of 2800	4536	msedge.exe	100
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102
PID 4536 wrote to memory of 4964	4536	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\XAU.exe
"C:\Users\Admin\AppData\Local\Temp\XAU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd26446f8,0x7ffcd2644708,0x7ffcd2644718
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:2176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
    3⤵
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 /prefetch:8
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2072 /prefetch:8
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
    3⤵
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
    3⤵
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13498693292386065178,14144617047957175375,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5952 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef2ab50a3d368243b8203ac219278a5d

SHA1
2d154d63c4371354ff607656a4d94bc3734658a9

SHA256
2e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf

SHA512
4533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
6c946c15bcadefc5f1e73e1583f04271

SHA1
320b47688bd4163077519d997d2ba5e06d10666b

SHA256
e528ab0480c14871637a6fbfdc1a0eb2b184a74ae043f8beeff8c1096ff5c73b

SHA512
bb2040a023ca40db994f52ea5da90d2b0d1864d2fd95db6cf476e8bd1f1e8d9e377b724e198cb1f572c5dc8eeb5b8a9f59124be2b28378577d9aa2ba6bd5d74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
551b6de7827ab62281ab964fa264bb70

SHA1
e31e01a07dbf029a3d90281787a2f52e1dfc31c6

SHA256
d98b1788f5adb8d6712c072dd68107d57b8c1df6a1279a0bc269861720743af2

SHA512
84c4a1ba536beb04b742afb8a7ffcf595e7f84962b168c28027e89ce2b9bfd8ea705779e3a889771377fd2cff24a77a5417c4962769c39eeb359ef6514e86bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1002B

MD5
3a7b75a9a1c07bff014a6078899ee082

SHA1
c2ec634470e2d567e65a0c8c07863795db38a56d

SHA256
8b5df1daf0fa782971c19a1f561f871dcca26dfabaff485c545be6ee5e214562

SHA512
bbf6f183526ec4e7b809822b85f25213732d53ad69852430af2d9331e469a4b77c3280eba9ccf452e0f9641abb2f9ce01a526f02de8d1cc85b2beff4812290c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f85c1e110d24ed8386df48e13af1991f

SHA1
58b4064a53a91478b372fc4e23eec9dfbd68446d

SHA256
92196b95a1456ace7fd82b4b00b013a3e31cff3f80f77b49aa8f7efc70c3760c

SHA512
25ae2db74fbe0145d78fc90e21607c16836e0c3c5eee4e5f445caee2cad7873a7d8d267f0595dff50b1aaaa6ff038c0c8697f4db21e4f8d39ac72773261971fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3674f5b54e257a05b301543f5cd8fa09

SHA1
f858019add1d7cb095cb182b7f917b8ada73b77f

SHA256
e0176466bf7310c4224e0096bd14c99a951daf8e4fbbd21a69abf9a1522f81a7

SHA512
05afe14fcc16ef43b3e4eb8aaafb1127129d6859f704109d472a3639d84c049bf6ba3c829b41baa0ca70888117d5a36f838a154fb49b3c8874c4b259982d401d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb6fb5554d1527a198400df3e6ccaa82

SHA1
ea7d8fe1f46aff25bf57eb5cd900bef816720110

SHA256
8abbb683361d655e592f1af0a765e29e982d54f633e3903a7ae0be23f68a98b7

SHA512
fa7dfc25cabf6373fbb34c770942421da21c7b02e8bfbbe81d506047124ca0404982f92998e5be4dc89981ec0b878f8191d66ab88deb0ec2b0352463e67e4c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca754b5d657082fb2b9c01ef627df0c9

SHA1
16244184719b52b19c2de1b78255768978b95b9e

SHA256
2360fcad5cfd468d7b88523a7eb1891133bf7ee27d3f8b4b7e29f9047a4b26d9

SHA512
9ea5cd65202eb156105d1e3ffedcfcf41b41c2935859a4d3cb28432a0740b5d8cb055223e182caae6fb6eefe6655d6d85a2ec9838757084ea11c3cedfcbd8a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bf38e67347aea6d520cda5fde321a1e5

SHA1
0e7a8def4c923201d76b41dfa9918bb1052827ea

SHA256
0f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025

SHA512
f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
9274f8bc6ca102e9e7d2548167c9e264

SHA1
c67c53c370eae07b1c23883bac2acae3db2ecead

SHA256
03c98dcd87d101e64461e1cc8010a003bb36f9e1154c2ee8df4a6781e7d1afa1

SHA512
1217441c5675b75d4989d9ab1f2ec0209cdd566b4b04b0a75d9294e137d0436f711e600da1995f75bd9f5b00906bf6d7f1cb4c3cb847c7b59a36da376e27c3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
c3878937db3b302962bec6d9328639f6

SHA1
3d0270e01c576e1643ae69f2a230ba864cdd654d

SHA256
215eaf8b87ae54ecd92635e1f7f7c9f5b544549178f6013cb6bb137665b78830

SHA512
af050bc6d71a5b3394abebdc9efdd1b52fb4e56ff91e03d62a2e2e9ce7f0c1c14aafda74f6c72ab2824fc25d528d88c5d332de601293fece0d1685adb56c2641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b58f.TMP

Filesize
539B

MD5
2d4cdc5462d74c73858e507e39420f45

SHA1
29f239f4c54823d62ab72311a89d2087403f4cc0

SHA256
591f08ae86edf5c6d62d720c82743d4adc61f77c91f77a51499324c8dd4c589b

SHA512
37274bda6b758ec67fbf705ea1e86b79cf8e0bfc7763f5525f46cfc1868774f6954dd8be7c69a91957175b316278055a2eb3b066a1309dc1ab7e59292e49588e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da8a7b2a791a92ddef804e2f57fa6736

SHA1
c5e6952e248f5ba85d004c81f9538f33970bcfa9

SHA256
a4163f53d8622f4b9850355cb7ed7891d0f7fd5dc6a87221d6d1d55d0061fcb7

SHA512
2f3fd0cc4c0a19e84050f2bc704371548b2c42c696fa1741fd23765367470ac0024ea12e62d46829db2b75e2155d9157105027c46eb67c1efeef4e533d9bc95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bd9a61060c31cbdc8f9ecb67fd070a82

SHA1
fca65c583faf2b1074e8ddc7854909bf28fdfb82

SHA256
eb28935433a6079d10d9791c81dbc7120a3acb044f3b7c19d254e4c4e15b180e

SHA512
fdd2c4230241fdf0e5fa5c57a71fc57e3e51577718275cad1d0214e1c5659d843b032b733e98f2fdb9c5e36a2df94d0ec7570e83d02cbaea5e0c044e7fac9b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
697b8b28a45d960fce5ea930ca5ecbf1

SHA1
b80200b79f47f8038f62cb36a360f78ce3cc60cd

SHA256
b60de2e6b2e495bbe2cc02ba55002589677238f2e6ba3a77540984bbc8cef431

SHA512
2524f073a8865d1a4c27f586fadaaa009f877bd5262c2b30202b5b5c5b9c50441aa5cdab1d19240bb43d705aba4cb125a3c4151fd916c726b12d0eda976e5e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c3547568ae291bb68634bde856221409

SHA1
d57563e41604a96a190a15df3953e72628401bd5

SHA256
31e93b0b33c6e8e1a6c815a706783848283c1e3dc9d887085b0d724c27eabdb0

SHA512
d132ea7eeb3324354eafed91f9ffdcc032b4672352c509a391b7dff697b2ed5e5ee202b169968c550d3bd2157dcf6516d1fc5695ad87f34ecb11980a44ba8117

Download Submit