edbffba6e6d33eba1b770f94cbf151815997c556523c0dce832cbf1eda01fa71

Resubmissions

25/03/2024, 19:01

240325-xphljafh58 1

25/03/2024, 18:58

240325-xmn1jaaf3w 6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ-virus
Size

215KB
MD5

369b4e1e774576fe2b6eda759b8bec5d
SHA1

d93ebafcecd8a95a4345c78e2475163f01f49ce0
SHA256

edbffba6e6d33eba1b770f94cbf151815997c556523c0dce832cbf1eda01fa71
SHA512

a4f3b0a4f2e9118e56ba5a4112c709eb1ab769324a6e152d6ec4f50c15fc23a91ab33d91b6af2a7e57046eaad85a6af94ecbc3a6e70dc5d8b16c7689094b8180
SSDEEP

6144:oDuqJDfWeVSgE29xxspm0n1vuz379uvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViN:KfWeVSgE29xxspm0n1vuz379uvZJT3CU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558669357353872"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{D0573ECE-7169-4A4C-A615-201841EB83CC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2636	msedge.exe
2636	msedge.exe
5020	msedge.exe
5020	msedge.exe
4876	msedge.exe
4876	msedge.exe
3428	identity_helper.exe
3428	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1472	2644	chrome.exe	101
PID 2644 wrote to memory of 1472	2644	chrome.exe	101
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 856	2644	chrome.exe	103
PID 2644 wrote to memory of 4296	2644	chrome.exe	104
PID 2644 wrote to memory of 4296	2644	chrome.exe	104
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105
PID 2644 wrote to memory of 3844	2644	chrome.exe	105

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MEMZ-virus
1⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffed589758,0x7fffed589768,0x7fffed589778
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:2
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,8322224628454690278,8811453479251508313,131072 /prefetch:1
  2⤵
  PID:4736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffee3746f8,0x7fffee374708,0x7fffee374718
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11782921789177402692,10154060269271962793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
387bb47eec06d7715d63554f5dc38601

SHA1
68d56cd82ff24353387de47db177cce4f2bd49b9

SHA256
305c5fefdc9bd81066c9df455cba5fa78233d163328f898859a430f91422b4aa

SHA512
93c7db135189c0e33734210ec12b3e4ff9dbf1f4866a658f7b5e1c70c6ff7d7f10da61cd1cdc8ff33938ca6f3ce149743ec4aa8114097d4d83ebb09350d42eec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0dc3f0bb-87cb-43f9-85de-738bc96f3e5c.tmp

Filesize
2KB

MD5
9197a781d7768b78c31ab274f874ea4b

SHA1
23e643b1d4c8c3bfae94c3ed279e334f70f833ab

SHA256
1ee3d2a809d27f403141e457ef94dc8ffdec93eb4731854002a8ed6698763ff7

SHA512
0201ff678c425b35c012e3731ad4523f743faec81b790a8d4ed8639f703a8bba545137f045c69588edda8c101346fac92502fce746e79559254740021a8bc91d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
28c59999af259b09e60f476b4b03732a

SHA1
e9417418f375cdef08846c6897cc99f6b638e0ed

SHA256
9304f4ad11707a8127d218caa6d445db02845fb5ddd1bcdefb0fb92e0b123697

SHA512
55f0331928a6efd404533cbfd79b677bc1a3f6c229c65e3ec2b628a0072f1029080cd5aa83b75f5d2eb461c3c0f7c6ea46bbf8cb442b2e7ef3ff21667db43a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
39ae891cb4e34d4be1b7112bacdea9a4

SHA1
5a6b3c6ff8a6143e79eb3965dc79e9495adeb9f1

SHA256
63dd98fd3b6af33a6b5cc863d5d2628d6cd722c7e071fa635648a9a5412a9586

SHA512
2f5f5f3b90e1e0ad74354582e249adb8c1a3f51bd6b58347aded70acdc8348a71d22a486df6771350293417571f51575a7adfcb4c0bfed1d2c0032694934c003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a0c4d5a4c85b68d4217cd4faef77d64f

SHA1
6be4fac7c2a14e5a607bbbc50cf53a7984c253ee

SHA256
70fa4a59f21eed1f3e94394048bc569647adc694eb72f7d55a35157edaf65061

SHA512
bb38fed2f44f85c3921961df7752321cdb56d8b9c93498e532f81e66a4e356d63417960f5a7e2a9bc8239348b6e2f8008f0502f52b1d28bd198b33ae4ad95b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
93a7c1309331390825ee4709e0a08081

SHA1
8e867d950e0c082ed134391512cdc10427af49e9

SHA256
016ebf526cc3d0c5c536cd8a521963d837a106e5905627f779304153c610ffc3

SHA512
f1115ac68f2e5e9fbc927f89ce930a060221ed1711697961807b1137cfcc988dd2e8316c0cdf0802f7ca5ed7265d298e95321058bf330677a2389a85ba4ac39f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01b0891cd9473917d06d8e54427ca984

SHA1
c05255fd31bf7332437670bee8f02ca78e8c8b70

SHA256
a9fb18367b444cea9380b8885aaa0250234d79262b024e1e6dd858b444423f4a

SHA512
1511123bbf9562a277433456633aba8dcdf0c8f5eab8b49c10293b7b5af63833599a1b4e51fc6e118a95109fecd23336584ad4af33c74bcf36e0001c71c7f520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c54676024baf01bbf78644fc443494d8

SHA1
4310f90ae38528d34d4bcbef7f1dd8e058b2be82

SHA256
e2684cf5a15d76dab0a2d54eeb377282f74d4f1f75efd75c1a7ff27c36b1bac8

SHA512
8b46cb41db56147f7af0655f0e6014e1e477c8c49f0c16d4aa476b87cf2de4de036a0b1307c2fe3d4b824c9e4d879ca2d84e39ac47430e0f3d3602aa572ee17b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a2b6a04567a19ce89e2d248a53ff0ac8

SHA1
95afcd22f2ba1143aeeb782d29cfafc4117e3403

SHA256
355bf5c4c8d58656455ceed94386d410f22f86046103b7e4e491adf1548485c4

SHA512
0356034b1b6420da3963a6b1a1380e7fab675ba8619c81fab35f0aaa89414a789a0a6e683a5921c4ee98df9edad60c36d1aa5a34c0693a1d2d82d519a014c1e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fe659be41bbc7f950e8fc84173e4a3b5

SHA1
77033d600859bd1d3d72d95822ee8e85b6c1efc3

SHA256
d2671a00820845c682f2ff1a736da78c782c22fcaa67d50cf8476949698c70ef

SHA512
d010fe132fc5606a3664714616d6fe3673dd74766a4ee6ae46700513b9f2f0ff895dbec93a36a83ff5680b129f106e6cad39e750371bf8598b2bc0034e16745f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
11b807404cedaa57985d0324d565842f

SHA1
5b7feaba68ba01805a1734ed3195339bad6f9ce9

SHA256
916e3d5045f79a00c4e8c3aee3dc04a1ca0da6297fce51164a75dd3871f5f37b

SHA512
ad1f2e410e26d914efbd7eda337d065707e4aa970fbeb9d2ee3d97b62a1e298198d0c1aed606c3bb13606db720fb40453f04b348bac4e4980461cecb09d80b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
74a1a82caf3a14eecd2717b5ea33ced7

SHA1
fc21a1080ccead7fcd6a9bb14e25114215c685f1

SHA256
7f0d162ba146f4664fb6f7ec2f5559e0b8d2b59f6b81e67e4a46a62ed6e1536c

SHA512
8786cc1f0b02ae696db85cccab989451582e06e7b2379e027bce028afb7518fcbf0558497a082e37fbf56a13aff367cedd13dd38c99cbcd9b2186322a3ca2bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
f9f35eb63b929548c9b0b657cfb91b3a

SHA1
86637962bbb87da816b079640f0dc5891d1dfe6d

SHA256
3707c7944dfd1f5735dafcfc7fefcfc7f69f1b625374a6c00851221b65f75b29

SHA512
dd2df4302469b085c48dc85e4047baed8ef91b562fedf7b66f855a3f82598622c22c72e9cfce4308aa387de12937985a9f7236f7848a3aa9865f66de73b11ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8e508c242b6ae8eef9fcd9a3f046d154

SHA1
a452085bfd2fae9c26baa64cffb3bdd5680e3a37

SHA256
44f07f49b81300b61f678bead04a9614605ccad1bb655e9fea73800b26bf0a0b

SHA512
2c6fb4c211c710dc4b89b5938e40d6a187c9c188c4ada010d31a79245f7b332bd64d98a0010652d6c3399a63e9cf18c05b8b012bc8602ed1f29863166427034e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
68d74980b4e2ab0c62c3aa07c7e2f37f

SHA1
fb86e4ac45fb3095e4852d0aef51a88569138914

SHA256
240c78206c8b26a80471dad794a5459cf160fb66855dec6bfc853b62403394cc

SHA512
159e7ba25bccc254a83ae870079a5389d0cfa241b0008bfc42971f40ea531a3a72cc411de42841ff8b3b6f0f0d81416fc737489e9768d90e2ce5e7a01dbc1bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b27d721fdf16ad91a643f1042f06d074

SHA1
9fc4cd2ecebfa2f441da8f8d20e9917a5e0e96f7

SHA256
49118ad846bdd9f4bec1a87a959e9efe688ba267bcf09846ac5deaffd903e031

SHA512
be280c3b5089d5d95c6a4a2e4865e623ee938ddcd5d38dbb6a845c967ec9a79a0075483553735d7fdbf0f3e7d301d98ab68f483c764a8ab2a6539cf23fd2ed47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d4c3711ede4335abe67122f38b0c4b5

SHA1
40e3a0f88e188875ac991aaab3ee293a27fe617f

SHA256
92914ec4e7a174a7f9bfa2cb61fdf80fcc7d842103947ef5f409dc82d3a272e8

SHA512
55eb0857b2adc3bbe3172da01d5f95cedd57da69d485b150cb56811dff3f0f350610343d932ee2874bf7e8da058cefb19a15eb9adce16d4357bb424cee8c408e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c19faa7534a5ef74e67f9f9c09b039a8

SHA1
96cb2c6006be80cf45987cb1f3ce0ed925513ca8

SHA256
11a17f1b781c6f6aacfc66df0687afa10a7c6aa901f51b42d2b52512e3df4297

SHA512
e51720d03ba7c0c332c8bd1df013fecd7946543fd844373e5c5015dd0d969cc904e0534a96cc1ef4ea3ca76fab8091983f22f4478ac77ddaf779f1ec5f701c2a

Download Submit