884d7714277f2e439843f54b9f9fcba098bc45f1a4b101dfc0f2e6cd983968e8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c41cc8495aba84f1a17f15a760cc955.exe
Size

104KB
MD5

9c41cc8495aba84f1a17f15a760cc955
SHA1

f0c4512e71cb1d1d77ab1e99815148e20ae08163
SHA256

884d7714277f2e439843f54b9f9fcba098bc45f1a4b101dfc0f2e6cd983968e8
SHA512

3070875bcc0c8be4977fbf440ecf473365378a1f4fb2e662adba68c252e342354b66c6c09fbdde1165850fcaef80ee17ed66ad64cd6f4b1eb61f6195afd834a2
SSDEEP

3072:KVidQr0UZqnnSTqPu6V4aGCWRZX0bhp0vcsjsr8gWt8C1dCuf9MJEb+o:Xr9O+o

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\afunix.sys	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	9c41cc8495aba84f1a17f15a760cc955.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	9c41cc8495aba84f1a17f15a760cc955.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	9c41cc8495aba84f1a17f15a760cc955.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4464-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-9-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00050000000006bd-14.dat	upx
behavioral2/memory/4464-23-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-93-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-108-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-302-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-326-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-591-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-1037-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4464-1230-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\mfsensorgroup.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mssprxy.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\nshwfp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\xolehlp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\kernel32.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDGRLND.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\P2PGraph.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\pid.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\polstore.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\tvratings.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\wer.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dot3hc.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\cfgbkend.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\MFCaptureEngine.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mstsc.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\RdpSa.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\UserDataAccessRes.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\vssapi.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\WindowManagementAPI.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\12520850.cpx	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\Windows.UI.XamlHost.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\cic.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\fontext.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KerbClientShared.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\netmsg.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\azroles.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcomp120.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mfc40u.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\lsmproxy.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\icu.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\DDACLSys.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\iasdatastore.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msauserext.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\SortServer2003Compat.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\AppVTerminator.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\Direct2DDesktop.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dmime.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dplaysvr.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\html.iec	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDSG.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mprext.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msiexec.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dbnmpntw.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\FXSAPI.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\GraphicsCapture.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\IDStore.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msutb.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\WerFault.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\BTAGService.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\gameux.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msra.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\nci.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\ole2nls.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\StateRepository.Core.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\sysmon.ocx	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\cscript.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDINDEV.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDUSR.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\security.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\typeperf.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\apds.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\MSNP.ax	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\nddeapi.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\offfilt.dll	9c41cc8495aba84f1a17f15a760cc955.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\WINDOWS\mib.bin	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\WMSysPr9.prx	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\write.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\HelpPane.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\notepad.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\PFRO.log	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\Professional.xml	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\sysmon.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\system.ini	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\explorer.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\winhlp32.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\bfsvc.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\lsasetup.log	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\splwow64.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\twain_32.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\win.ini	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\hh.exe	9c41cc8495aba84f1a17f15a760cc955.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3744	msedge.exe
3744	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3444	4464	9c41cc8495aba84f1a17f15a760cc955.exe	92
PID 4464 wrote to memory of 3444	4464	9c41cc8495aba84f1a17f15a760cc955.exe	92
PID 3444 wrote to memory of 2436	3444	msedge.exe	93
PID 3444 wrote to memory of 2436	3444	msedge.exe	93
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 4060	3444	msedge.exe	96
PID 3444 wrote to memory of 3744	3444	msedge.exe	94
PID 3444 wrote to memory of 3744	3444	msedge.exe	94
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95
PID 3444 wrote to memory of 4156	3444	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\9c41cc8495aba84f1a17f15a760cc955.exe
"C:\Users\Admin\AppData\Local\Temp\9c41cc8495aba84f1a17f15a760cc955.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9ef746f8,0x7ffc9ef74708,0x7ffc9ef74718
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
    3⤵
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3532 /prefetch:8
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
    3⤵
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
    3⤵
    PID:560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
    3⤵
    PID:956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16739730016545096016,11777050350851766509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
    3⤵
    PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9ef746f8,0x7ffc9ef74708,0x7ffc9ef74718
    3⤵
    PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4f4
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
480B

MD5
bcdacd262731c7f247e4fbd9c020eaf5

SHA1
43256ae0b21150a7d2b58d2889328ccfd09c3187

SHA256
66b395e13a4efdb602c939261de33333373e6d015a82249f63c721072fa2ceb2

SHA512
b466ffc2053485a27f6a17b8549e4b8161b7e5c0a566e8619bad1649b5f7b88af52d8231333955cb20667d56a1c271a16bf893745a1885ca00960aaf549cd426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
1c5d2a799ed96a2db21486c685e3f0c4

SHA1
34b997ade8bc3937e5bb3a1b9394216c9e485bc0

SHA256
dfd44eeec75da3130864ec4db106abe3821ca9360c8fd7c61d2082c35a36ed74

SHA512
00b2b0606ef67eb5ed2f1a0feb08e2211c8babae6d2ef3185248db64b674713e68c94be2c4c49495eb85c1093b306d13ff587aaecdcb4c9a6a3f592b0a79dba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
99830a78bc53fd9300fcbedc174cd897

SHA1
21679dcdca7c9cbc8d8b3b69a5b69ea367b70a16

SHA256
e1308c64dae1cdcc7343aa5f2083b805b9187860d2429a1a6e8c32b4e8850eab

SHA512
87a7aef1819cff4330f3ba6bd1e60cf6ee9d2f914b3776e85aa0944cfcb469e7012dcd7aab8cbc31808313f2dccec9e0ee0a3d71b7cd8481c7e511fe0d24faf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3db5135732036d5b828aa87aba40a992

SHA1
247b67008cb8aa77b30d789287f4faa06bc3b99c

SHA256
75caa6d33dee37668d8ccc45f33a0b7c09a57a4f68f334cde8f7c2d6c412c1a5

SHA512
0e3502a1b8753401bb486a704f0f2b919cd2f38736c36e77961576d90611b9ad74c72efca6e6c6e963bbde162500194fe55187880e58fef0a938619fee90844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
879b08796fa2a2860f0bb30c3dec0dad

SHA1
9810930c46940dc99c1df01ad628f18ad29df762

SHA256
bba8513d185dd7f90b29d000281371775497e842d296263bbfa792fb760ebe82

SHA512
eb03236a8a7430cafe9797351ce4682b5acad811c7fb14039a90e9ba8b68039e2744bad107389ac29ef5f01cadaf20ccb01fda1fb998d99a701d1a36f1dba1dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a18c5f0eb399e1b79549a6d307698dc

SHA1
d2c66f24e2e3a6803ec21f6c83b6eceecbdcf4ac

SHA256
7f13d42b70e8eb85908bf98c42d1cadbe8bf59f216a9768c6ba42127d98b21dc

SHA512
a9b419ce1fd6373b2b328f5df6d2cb4a6e2bcc45f8368ba2701d8856936b4e25b3447bb0d4a8734a726d0e879e8d9b38d80d1b2aea48efa8466fb1df21a457ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bb2669fc5c72aa4eeb59dd82315fcb55

SHA1
eebbc96317f23fd57458e5e5ddf3fea6428f8a48

SHA256
98940e8a49ef6e247310595fde06cbe369e9e3cfe4327939964c9ccc62d91a00

SHA512
8253748df2ad432c021c95f4aabc1e5ed6331c6ad7dbd39cfb772a20dbf9779bc0caa669ab1fe03e6e728a3ad9de0471be3d085d78afee0e8072a63e1f15e107

Download Submit
C:\Windows\SysmonDrv.sys

Filesize
193KB

MD5
cecc1a7ae706cb4db1c50069e36da568

SHA1
bdf90a55ca71ebba8d781e040630045b596f7f17

SHA256
5cefbc40d692b0b221cdafb093ebfc64d3b754273fffeeabbdeb04fa233233a7

SHA512
b444f1f4b5930a7221dc16439e8be74b5316fdafdfe33ef97f5a3651b9b4aeac3b1713e2fff4f660af356d7fde40878fc07591522662c600e1209061ae2b4762

Download Submit
C:\exc.exe

Filesize
76KB

MD5
051dfbdb2a9e967600c0c31d8d92306e

SHA1
4a8f60452b179ed222cc7917826624566b3eabec

SHA256
42f3a2bfe299b41d945877c610e224c7b0f5301badf9f26686af5dddb279e2bf

SHA512
cd032539eae0b4d5acf0f51c5d536f3872dd73bd497b6f611175e89957630df024ba9a2536d178bd235278137cb05a73411207e8f45e4e58fb4d24c0de5721ca

Download Submit
memory/4464-108-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-591-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-326-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-302-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-1037-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-1230-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-93-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4464-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download