a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
Size

1.8MB
MD5

fe2abc67dbbadf24babb8d8d57ada549
SHA1

14b7616bb646498f859c393b6840358cdf810057
SHA256

a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b
SHA512

17174cce75ae8330acffac3865ff4196f36524658de0798485f6bb7f9d844117273f092efd26429f0a15efa6a3d98d6a71d2448fd21d253f781f504be57c2d0b
SSDEEP

24576:j3vLR2VhZBJ905EmMyPnQxhe42LwvHYgUBoHDC/hR:j3dUZTHaLAl

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\V:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\B:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\G:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\J:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\P:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\S:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\T:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\X:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\Y:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\E:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\I:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\M:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\O:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\R:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\U:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\A:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\H:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\L:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\N:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\K:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\W:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
File opened (read-only)	\??\Z:	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4608	msedge.exe
4608	msedge.exe
1556	identity_helper.exe
1556	identity_helper.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
Token: SeDebugPrivilege	3652	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
Token: SeDebugPrivilege	2380	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
Token: SeDebugPrivilege	2380	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2380	3652	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe	88
PID 3652 wrote to memory of 2380	3652	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe	88
PID 3652 wrote to memory of 2380	3652	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe	88
PID 2380 wrote to memory of 4608	2380	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe	99
PID 2380 wrote to memory of 4608	2380	a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe	99
PID 4608 wrote to memory of 2788	4608	msedge.exe	100
PID 4608 wrote to memory of 2788	4608	msedge.exe	100
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4492	4608	msedge.exe	101
PID 4608 wrote to memory of 4996	4608	msedge.exe	102
PID 4608 wrote to memory of 4996	4608	msedge.exe	102
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103
PID 4608 wrote to memory of 3652	4608	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
"C:\Users\Admin\AppData\Local\Temp\a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe
  "C:\Users\Admin\AppData\Local\Temp\a40361bdb25f5655464314cf7739dee528298182d28271df8b78e9c069a5851b.exe" Admin
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xa4,0x114,0x7ff9ed9a46f8,0x7ff9ed9a4708,0x7ff9ed9a4718
      4⤵
      PID:2788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
      4⤵
      PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,11776139750662783479,11916360092042977313,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e83162bd941d3fa043b42260557b802

SHA1
21346b78b7ea6ad0538c35680f770baef5fbbc40

SHA256
a8c623be37865c420cf6672c30017e6940bdf861ca3997c12ed16112fec2dd93

SHA512
b317ac683aeeab68563d6ba946c0bd58e8d4452f933fda4c5034addd2e32bb6498c63b7187c82f89d257298e66d996ac0c1f1fdf85368ea3b5c491db0e395b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fde43c087d8fad7897feef28fbd5927

SHA1
ec17d8e0c281e193c05bb019cf769e6524ad3119

SHA256
3caad5c93510ee373e2a92d4a211008e50b2826c9cb8b1ce75668916ca64d7d8

SHA512
f4a0cdb61000df6cd457eee71d9bc0d5d2207859a1715fcbc47af71c4ffd6db6b802e8a38a1de2bb6e7a9c248591162003aee5706193384c9b829b6d6a8c699a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5aaf82625db65934eba9eb8d7fce0f25

SHA1
f453092b9d9e2cce9c3526f2e21dd4eefdae81ae

SHA256
95e45de945e90999794e1f8d530b68f9ccf05dcaf33c66f862bf9d12a96e37d3

SHA512
686505eb6d9bc504117f36af183f0cb764ee07b6cd9beb5c2e0a9bed0c0c5faffa967b83028aa3137e1aeb234d287213d363ae1af134b4ab10fa25f17e8ece91

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
memory/2380-2-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2380-6-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2380-7-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3652-1-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3652-0-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download