48c275f7bfb222ec78f54617970c98db10c0bdc1fac39aed723fd07875c09b85

Analysis

max time kernel
229s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.py
Size

3KB
MD5

348c346b13048f98e919f687a642f8e8
SHA1

144103a92eb08644208a979a8c82b7e994a7d769
SHA256

48c275f7bfb222ec78f54617970c98db10c0bdc1fac39aed723fd07875c09b85
SHA512

196eb52d86e149454967f84c4cd10cd10c8b4760fb32eaf3e3bc8b1c6fbf104569643312f5e55d1f25e1b05d7285df1a5e58ce86a8356e4f602626754651c344

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{EA0C3FB1-90AB-4AC7-AFCA-70DA9BEFD9A4}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2788	msedge.exe
2788	msedge.exe
4676	identity_helper.exe
4676	identity_helper.exe
4952	msedge.exe
4952	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1420	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4532	2788	msedge.exe	101
PID 2788 wrote to memory of 4532	2788	msedge.exe	101
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 3908	2788	msedge.exe	102
PID 2788 wrote to memory of 2500	2788	msedge.exe	103
PID 2788 wrote to memory of 2500	2788	msedge.exe	103
PID 4760 wrote to memory of 4104	4760	msedge.exe	105
PID 4760 wrote to memory of 4104	4760	msedge.exe	105
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106
PID 2788 wrote to memory of 1992	2788	msedge.exe	106

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.py
1⤵
- Modifies registry class
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8cf446f8,0x7ffc8cf44708,0x7ffc8cf44718
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,345068879700142740,17052958641500248942,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8cf446f8,0x7ffc8cf44708,0x7ffc8cf44718
  2⤵
  PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
606204a7864d1fad81004b6124a1e2d9

SHA1
d77f04d8489a0c898bd3ca43350d100499af8ad9

SHA256
8d6244e6e7aab4013fa322a84f5a46f3611d9133e74514bd29d76f864e7a1970

SHA512
ea2f07040f810b729c32daa2f0b51357a53e2e2c649fe08205b6f28f0a39ae07d7c544f0f7650d4df725590a41cfae027aeded0f4d878d4f4a6a0d849d93ff02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b28c716d8fc320420213fbff7cea575e

SHA1
1bfcb7ed7f4439155c903f4869b3086c16c3da72

SHA256
949cc763cfac8ba1a8bea53f0418fedd85c92b4509f122056ded4a3b6ea8e50f

SHA512
9b502487ea0cb9f1a52dc1551c4ac29103bab0a89cb127b27ecd1c8e14a784c601926ee65490863bd68cc546f18242389a743f6422c52922846a90416368c3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5662fa5a0cf742178bf345151fc8dac9

SHA1
732a01e4fcedf3b82b273380acaf27be810bb935

SHA256
f72a2bf57196cb812eb142a180b602274b190ec26c5e8c34af3c5ab663bf824f

SHA512
d9e89ad64728e46bf72640e93cdb5062d342065d855c5f98d1beacf03b4313b3fdeb819a4cedf4f6ac52a73bc103d3498c39ce0010ab20ca9452b5f488f34ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a8c71417c5a9d845cf691df1d1c8a1e

SHA1
7914e400a57ad54171448ddef5ea16bf01fe4844

SHA256
5d09b3175165dc7e711567af9326512022c411cc10d232483ca28b8324e7e8dc

SHA512
66ab855d0b19c7fb9b66448c8073ed5e6d86ff1c550b96412eefc4da5db0f0fc394aab3d2015f674b439d2f990d2dc88a2bfdfae51e3382139c4fbe32db8d4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23fb1c37cbc31588b1982fe9e17eb693

SHA1
547da98c5705344abc30672bfda18cbc48baa9c5

SHA256
40d25f12191eda17cb2584628f78ea8dd773c13ab2768d4d9e61b310eb57534f

SHA512
6d29c0b660305350a5f0026b5f3f8242ebbd7978c4cdae2d225976c81595b0e5da6b52778a945afcc35400480003239eb9b96b30cec4e1c6593739f70a5592f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec123a83747100d1a53b17fe395d6d1c

SHA1
a7192a31aabfc501dc71548dd55ae048bbe85fa5

SHA256
17f3261ef2a7352a4dc8a2df806f6af48810cebfe89794fcf1f4eb52759e04d0

SHA512
e0d2d48787df130eff503708c382e54e5b971891c322b4529e517a959787a401c230c527770235252a2c1c6f2b57e681e39a92569c6f0f877e164ab2a17299ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc915b7878a6abe4e9e466ffd557efa5

SHA1
f1f8cd0622ef850044a69305aa2dbf5ceb61a86a

SHA256
4b95804a810e70d3964fd0c115aafaf481632fc837d45181c5610905c85fc1f9

SHA512
0ae188726f4ae8931de9ea962ec7ecd958a257be8a5d26a85daa64cfa4e7fe33ef695ac76147aa3eceeecb8009ea73ebd5a90c4c7f2486ad8014602b657355f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d81055ecfc06cf3b1a4bf4d26072c18

SHA1
8a87fb05a4460684ef0d616e956f54dd8c15aa53

SHA256
22d6ce951bdc7caaadae39121e7735c19b1482a907b06cef86db0f3aa5d528b0

SHA512
b83434889afe87fae89b2ec25f8464710639c59155b7f297ff4de13e06a514b08789b083551814d8876c49786b6eff1eb0cdb33ead3581a4fbcd555ceb6af430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0f1209167754578fdbd55b192b4b0e4

SHA1
772e61a118d4f81621b49c29a1ee391ac8eb815e

SHA256
71296d9b143cb6d83716c10e275b0bb7137e0d25663a50a0908536a5eff63ba3

SHA512
14512fbd6a54190b73ba5fe96fa0e7528dcbcd80ae2d63ebea09f9b7888f4608da616725c4163812eaa271edbbbb46524606403dbfe6961b943422e117983089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ad7c4.TMP

Filesize
871B

MD5
d09314fdbe11d8b16348d9375e6b3496

SHA1
5fa1ce79a5faa221cd9299d89e6609675ebf225c

SHA256
01a48d3a1ee220748bb86660bd0141281f60c132eba887cd8dd8af95e6f4404d

SHA512
d8104131fb73f0db1bb675cd88a423099bb09cf87b50f7e9cfcd2649214d91bcb4028c6514ff79af28ff4d1f0e11fb7299b25ea1a4e9cdd51f7f64d05e35464b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54f8f2a4aa613f94598aaf6cbf26d097

SHA1
88fc4688ebab3cab4167ad95df0357ddc2d991eb

SHA256
c6260e92b9da1fc31e4ae7dc29a5e6d960f03a54959c5f39c31ed6e1b83877a4

SHA512
d8bf2f557ec9ab515c61e5f7618c58d6bce04b87b6b42d2ecebef5fdcb969bf7708cdb519a92658f4cfb5eff3a902602f5d9ea889784c3cab443220ae470daa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b55af184ec4a092c1ab3d54f15dbf46c

SHA1
02a10ffee03864ecff40728c5a76bb237e22a052

SHA256
cef7fff2907bffd75ad2b67ce4b3f51602ce16b7333bf0fd9e5b507160a7a983

SHA512
e2f65c74ee88e29b77c8bdb3d97885fd0dfbafa65cc06d8c971326bf95e0603e72f176a34e251a04219eb9e7bf86fd96f318acd6a0b767545ff962243b91dbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
de259945e339eb3db07818103b261211

SHA1
2670166bb98393e3c31407b5f3da41883f8d8d52

SHA256
96c7edb13152f9c9eba0ffaa5ad858f454c9d28bfe3d8f2043afd8fad3a4b77a

SHA512
6e11dc5cf3462ba578a84d9e6358aa45f2d637d9bca3b23e421052313e34f407d35d9c96ab0250286c807d5be982bfbab61746e6f6d1eaa548fdedff9f33b90d

Download Submit