cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
Size

897KB
MD5

f2373f8422e235815d9a6fe7def5b6c4
SHA1

279250ba77d1707fb26c8ba5446d6024ce686661
SHA256

cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3
SHA512

7341f21c148255fc9a574b351a8402346c12194e3210563b8b3b023bc1f7dabe02a39ffd270a67efa540af276d89a5b478c8dc704064cd8c156c0bfed4314ec6
SSDEEP

12288:sqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaiTW:sqDEvCTbMWu7rQYlBQcBiT6rprG8aCW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
480	msedge.exe
480	msedge.exe
1612	msedge.exe
1612	msedge.exe
496	msedge.exe
496	msedge.exe
1276	msedge.exe
1276	msedge.exe
3688	identity_helper.exe
3688	identity_helper.exe
1100	msedge.exe
1100	msedge.exe
1944	msedge.exe
1944	msedge.exe
1944	msedge.exe
1944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1612	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	77
PID 4796 wrote to memory of 1612	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	77
PID 1612 wrote to memory of 5080	1612	msedge.exe	80
PID 1612 wrote to memory of 5080	1612	msedge.exe	80
PID 4796 wrote to memory of 336	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	81
PID 4796 wrote to memory of 336	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	81
PID 336 wrote to memory of 1592	336	msedge.exe	82
PID 336 wrote to memory of 1592	336	msedge.exe	82
PID 4796 wrote to memory of 4484	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	83
PID 4796 wrote to memory of 4484	4796	cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe	83
PID 4484 wrote to memory of 3336	4484	msedge.exe	84
PID 4484 wrote to memory of 3336	4484	msedge.exe	84
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 4236	1612	msedge.exe	85
PID 1612 wrote to memory of 480	1612	msedge.exe	86
PID 1612 wrote to memory of 480	1612	msedge.exe	86
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87
PID 1612 wrote to memory of 2324	1612	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe
"C:\Users\Admin\AppData\Local\Temp\cd0be474a71c9150071dd17f1fe9a6474a4441b8127b80662177cdd27d1dcfe3.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb8c33cb8,0x7ffcb8c33cc8,0x7ffcb8c33cd8
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
    3⤵
    PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
    3⤵
    PID:3392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
    3⤵
    PID:252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
    3⤵
    PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:2484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10021698199688376799,3835663196579185735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5924 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb8c33cb8,0x7ffcb8c33cc8,0x7ffcb8c33cd8
    3⤵
    PID:1592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,6382405983572985140,14837385066484448548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb8c33cb8,0x7ffcb8c33cc8,0x7ffcb8c33cd8
    3⤵
    PID:3336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,9352444390791947684,7425067384407206591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
5ba7743d04ace41f7f799f05fc7bf4b0

SHA1
1e87ee51c5c22ba5545bb67c9482c9f2b3b3bc6b

SHA256
fa1f5caf4055571bbafaa77dfdbf3cef0891a871d174f2d883e7fc8288640eea

SHA512
2e095b6d18e4714bfaed1e9884052e10ebfaa152bd22da1053254451a9a8dbdf3e43857c09a43dfaa160fb61673e38c45cc1cd450bdb942bd8cedcbecd8eb25b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5d2e9f1d8c113e77a9e48f031d990a2b

SHA1
faf538578813038e6c6f66294d50e2396706d7ab

SHA256
b5e35c17150962e4a13762e7f23b7c8d591a6ea5b7506199e0f29d0a4fa49973

SHA512
e82fd07257943f0e47d342a9274afaf5ca934b8db5d8f579d862f6741864c4fac4b3d9996c92aec21a5497e41c970027ca118cc950d31d406d081394da892c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b407c61108757f1902eaf608924177fa

SHA1
f3951d6ebf90b5c1687d8060fe1ca8065ac66975

SHA256
e972eb616879740179d97a32b05c2568449e0b317335d5e418acaea034eac24e

SHA512
f70c1cc52d2f213514300a160f07e4297e211327c9c663cc7f18c7190b2ecf40ce3c416e6a9395a0f9b86efb661e999c30b6bb38804d958cc2b3217405ce509a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c4f1b480b44dbe3f625f60da7947726

SHA1
a37fe24f37479df058bc9c2e9930fad4f6ae795a

SHA256
e505d90441ab54a3e355f571f21d5e78771bd8c624fbfc63754ee0a58cb6251e

SHA512
59bc4515128862575eb0b6846812a721a1114d2c89b7438e40aef8f065cda5125f0a2073dbcd24c2ddcd72f1df69a02d43d92abc63fa22c27d92614e15f063ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aae77a72c3236c113a96584ff0339ba3

SHA1
1d85df72c8ce33fc59f064a313061f612b1cb093

SHA256
64b72a7e0f9f823da810066fbeb8767a32c927d46233c6541e405cae92460018

SHA512
97c39057e5b6b1e3b003b55f1476c531ab85dc1e46e784c904a68d2b2abac064c012e23960d1f3b7fa48669511d6928551c57bd101110a5af2284794308ad8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
c95e7d6ff878e1d419485db4ca12d5ce

SHA1
d48ceaf9766adb4eee8d6f900a3d180bd4676dbd

SHA256
fdc0dea014bf064fd7b33228a0322aae720c92d23bb4279722bf9e7fea3a4744

SHA512
75251c4b3b9a3de4d8de0311754dc56ec407fc510d89b75ff47970d5450859c5e201dd2f364f0014c4ea4c7a6c160663e3f7a151d2dbc6774defc9aee2a91efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
e2c5721c1cd809cce66cac5a7531eb19

SHA1
67e4a4d21a0778e5ec5213de6c1326dddc0eecb2

SHA256
bd3472acd9645d228479c5fc3e63cedcfcd86096720b76693ee74e07efad5b20

SHA512
6362089be0eb159877cec18ed5d4c0abf6440d5a90c6a2da8f7b4ac56b7e937992615c5771683ce29ed39c599ebac24e62c34169f9dea25529985682bc278c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
c66db6673e336f58d287fcef83745d91

SHA1
189b92a3317941b3c9826666e0a4ac4e4e5febb4

SHA256
dd864db284701652214b78c71c55408a572cc84b2814594c36b7a07cadb97875

SHA512
e7560ffb47abba627605f5a9ab3a6d868a3d1426e3adb841d58c095955bd438cc8a089d6ea5a2b35f8511822eb6e48fefe5a0f95c52ca988b3287fb52375ecc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
86d5b21735fbc594352a94938f0d72cc

SHA1
251ffb558e1ce3432f6b6f0846c2692e8e85f971

SHA256
1b812d4d057afb745c50ee6f579d6f78c5e57a415b0334c3d82129b1abc618ff

SHA512
018646342ca56717d523c37b33c1df4f5b40ccebaa769624e6d8d3637165f3c850662066dae721f46ac819bf71ae792ec24a403e95f9d8c7d1afbac6215a61ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a5321dec6aa3eb169b5b3a151f18775f

SHA1
518d89b47bf977f4bb7a3bce4f8ddbd2449276d5

SHA256
e49b9185ff12d175df295d838bebd970a9390deed2c031c94332a9dd13db6a95

SHA512
d39bfe5a4af5183324dff1553d05345e51068f1179e378dd6c782d8a83d3c33d108fad00a0da2b3dbc536a1cfdc3617c523399074d38a69261502ddacb5ffe3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a1fd.TMP

Filesize
707B

MD5
5ff12c7d63c33f8ed64bb2acf3c153c4

SHA1
8692de19d71e0b646fbeb8366ffe445dcc486d43

SHA256
96a4b5b3737d4a6eddd0085dc1b8fc8bbdbe029066a24269c76eba45642b0ae1

SHA512
ef46b65f3edbd7c9132f31cb69bf7f9a07ffdceea4a6248d35fdbe68e66fc1193144b73427c549036083c7f1733738ef4a789e734b8694a1fd51235124c637e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a97c529982891f946fe1cf73bd14ba4

SHA1
606852da09b0ea35860f138e3f8fa6f1626325db

SHA256
aabace918cd84abbc9094827db336fe61ebff99e0c293dd46b86ca975013b2bc

SHA512
1ff85731f21fe41bb5d6668190ba4adbbd3c48ca85a6918fd2a45108e7915556467f25edb2664532ff078652fe1a2d075a9a9818889f45ac5f37aa5ea6c9f332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d0586371a5551ed3e2bb3ec9e3f5c990

SHA1
f5ddccd3bb2f5adac8f5249b87dd47b053fb8c63

SHA256
6796f6f6ddd66019069ab6b400a6ea2570b0e7cdfe57703540962be04b270cda

SHA512
4202b5d75352e65006a6a57d074f887b778bfd002c3e2b1012705d066e1b6be8b1c890b1faac04997cc9fc4399c9e0b8e6f6b592461e13d1551e6929e63d7f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
27567bad31d1dc30db9fc9c6b2db73a1

SHA1
a1f39be842c063c6c5a6e5597b14466c4ccc06ad

SHA256
743e36df10143324e6efa67b5c88d51b47f1e033730af58c71aa8d7bc9dc9917

SHA512
d23f74fc77610fcc71fc0463de80180b52147309103450de6edc319a145340e28d8a44d04336bfb884461a9f6e9a64aedd2df612add879d49bd10b0caca35da9

Download Submit