13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
Size

897KB
MD5

6576400ce7323b036fca9f3d1d4a9179
SHA1

1b4c586651380d137c73b1bb5049685623040758
SHA256

13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406
SHA512

ed0e5567b63c25acb587f0e7cc7eeb27275cd07989a010c11c858d77b1e711246c7d6605432e83483986fe91f30885dd64f3db87abea126f3e6fcd2d71689765
SSDEEP

12288:uqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTP:uqDEvCTbMWu7rQYlBQcBiT6rprG8asP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3188	msedge.exe
3188	msedge.exe
4500	msedge.exe
4500	msedge.exe
2928	msedge.exe
2928	msedge.exe
3252	msedge.exe
3252	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exemsedge.exe

pid	process
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exemsedge.exe

pid	process
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe
2928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3636 wrote to memory of 2928	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 3636 wrote to memory of 2928	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 2928 wrote to memory of 4880	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 4880	2928	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3816	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 3636 wrote to memory of 3816	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 3816 wrote to memory of 1244	3816	msedge.exe	msedge.exe
PID 3816 wrote to memory of 1244	3816	msedge.exe	msedge.exe
PID 3636 wrote to memory of 2332	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 3636 wrote to memory of 2332	3636	13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe	msedge.exe
PID 2332 wrote to memory of 3480	2332	msedge.exe	msedge.exe
PID 2332 wrote to memory of 3480	2332	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 5092	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3188	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3188	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 3044	2928	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe
"C:\Users\Admin\AppData\Local\Temp\13f387282cc76fdbf5f037d2dfaccb040190d5cf3a0d44a4010d37c6a9048406.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94e4d46f8,0x7ff94e4d4708,0x7ff94e4d4718
3⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
3⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
3⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
3⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
3⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
3⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
3⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
3⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
3⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
3⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
3⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9685961521741233324,12099753511479362890,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff94e4d46f8,0x7ff94e4d4708,0x7ff94e4d4718
3⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13397794023019705906,17398451751460028386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94e4d46f8,0x7ff94e4d4708,0x7ff94e4d4718
3⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,11621546058971712886,8775310302762576866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
3⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,11621546058971712886,8775310302762576866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1008B

MD5
60c8ab2b6c88f46aff4a3df1776c8521

SHA1
a0b08c02376c6d4f08b5e2d2882ba56c07184c85

SHA256
7978dee67e4607c27568d14bfa8a76b4b4354953c78e3bbf1511dfbe399c2cb9

SHA512
a7a86c67e92e80cf244424859565822382d647c6e519e6c75d2f9d839ffb6829db241b5b4f53cb4729107f79cf096f394aff7c758e9f21de54042cffc85c536f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
79262c016e8af17ea86f72b8c5bfd448

SHA1
ba9bfef5c12f04e3059d68ad40e31e60e020d99c

SHA256
5bdb2211c88e27e73865042db35bf1f32fc94cad4d167e611d6244ea25bf8107

SHA512
0bbf61d3917bb07f0109451aef2ae7e3e30cbb508dba8743c825e9fad163301f8dda1a7b3aa17cbbebe5942957354da501977e30712aad9eb28c972cd069f721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
e56be3f0ec66c7ee307837c5a339bfb2

SHA1
689078396d4db32babe1d7f3b9cd95c362f588c0

SHA256
97894ba753d543eee0fd1c1a74b1441c439d6b14423916666b16fd6d170f3315

SHA512
ba339ce22829afcf957599c6d81ebe4a2706fa54802ec8a5cd683fb6521b3f31516a57ffddfa3c649d65b941b70d02611791c6814d3b51802e17e9da3f6be96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4642fdaf0fc505d6c75520a83dbfe9fa

SHA1
82c34a53ff9eaf9f06ab17aa5e839ce49bc42519

SHA256
5978eeb9fbc26e733f380dd30da211cfdcb7669e6991cb82d249da3ea23a8b46

SHA512
40540a0aa85982ee3f7945b80c73ec3ef7c0fa1841dbede59a3be07247c7986e0b591ac016f8f81194b37aa666fca1fa8d91dc8c2056854e528ac767c025abfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3d683d598227007fb217ca791b3728e8

SHA1
271bdfe36890086f9ecebeb0e2ba7ec3c8321a38

SHA256
3653ce459aedcde0c439d52fe1fc44c7b0e9ab4174c98abbc493e413a45262a4

SHA512
b643d8604face2c8dad0b80818ad19397aece82771a62d4efa54e092776329442f4378a4f2dddc42751375e263579c2c0f0e399add7597d406061796164df6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
3903b17bda6f371af1924ccaffd554ea

SHA1
efbde91acde271520a6686480285fe6c00ee0eae

SHA256
ab183be68b763251d15e51ace8ef61fcf3037c27fac23469f2097a6ba6aeeece

SHA512
404ea004679971e17c488eb306da1cf2f68387bff6b591bbf5eee04120f6fbc35608a04bd80cb5e0d44082adbeb8db1de7ad38cf576dae7b1724d1c5f9ba03e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
712b7ddec94347322430b1ea572103c0

SHA1
e349a5a9e0f46d72baa4c7a875649e49511eb20c

SHA256
c981b106cd60a3daa68b7027fd15712cb82668e935f4322f95b1363b5312dc5a

SHA512
f96c595d54b63458ac2c11341bfb2d6ef3586710531c1ec6818b8e079d2d9fcc148aa375de780a09f77690ef3c2c4865f711e3769d1bdb8f71f357d9897a769b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
01d1a534f5f2891c161dd7f35830fc86

SHA1
68d4cd0f90037dc7f521ee2ed49ecc9dc382ca4b

SHA256
5f673e244a5462b2b1c24feb6018ffdf6ed3a6ac3681cff469ff6c8f912402ea

SHA512
c0875ac93ea31c1e843488eaa94a460c98b9f5e1de0fa2bd1e82cd0002a51934a5cb0f8a0330b60b15a7095027d357b58b7340fb8dcf791e22e2e8c61b4bb2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fb19.TMP
Filesize
707B

MD5
961f6ddcf5692c775ddad060728bf79f

SHA1
4bb56483ec764a2d341353369d537777b6afa5a4

SHA256
da2dc70c3ad61571a811d6a13a1e4c5f0377de3a1f63535f347b2324b5c7b274

SHA512
4d8736662f353cbc08f3888219bdfa2d4c212ac11bb3f9cfce0a350307ca8ab67a81b03ef4a94fa6c4e592726873b593d03d5f11695c2681c37c8fd857d2d280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
0ebe88d975af9c9e5151d14227426782

SHA1
e6c67adb47c978d0492344b6753e20dbad5d7b68

SHA256
da1c791a52a751162ad066d33190bc224942f1fe0a9cb78a7f331a781a9c0ef3

SHA512
d428c6ec5c748210f0ddb7d380f80eec7e764562e70697f83d470f3574bc7ab93b70b8338dc40d43e051b06df43ba2e2480fb7c597ca9884461cec7b2e2834e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
acb2617129d098a3d5264899bb981e8a

SHA1
37611d18ba208ca8c4952be5b61dd6a84ae69e33

SHA256
9a8212389ecf3f234aaae7574b45bb16430d47e53c38ec86689af26dc0e4546a

SHA512
a952f802b900eaacc599285a802737afe9022676bc20004a00de205f5295c265a1a5652451cf0955f25675a0363472e521036e6e62507652c938c7bf362f8866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6a2864502942ce1169fc88f25b1ddf85

SHA1
e5bfea27bc834176462b698addd76f3efcc40ad9

SHA256
9b2c243351616f29548e9edac34c1f7022b1f3392708966f4de3a664b3e0b0af

SHA512
acb29a6dba9a4d617d7fc90c4acc7135239dbecc87be1447a2ce28d3a37e7acc9b790c4bbec7da65e8318fcc282581adbd18757ec010864119bbe26588d0a415

Download Submit