e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
Size

896KB
MD5

a3beef6a66b23c3889bbd7f43a4043bd
SHA1

dfd6476be8e0c03a16a9e86338af8306ab037f5b
SHA256

e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e
SHA512

e778ea3afbaae79fb765dd17dd683d9297cb8adb9f1cbad0b99ac7aa753903f7ff6a6c5e02e6e2a5d3bbb6203451696971eeb8c726b3c6b71773b455a52feeb2
SSDEEP

12288:oqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavT0:oqDEvCTbMWu7rQYlBQcBiT6rprG8aL0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
1148	msedge.exe
1148	msedge.exe
5644	msedge.exe
5644	msedge.exe
1800	msedge.exe
1800	msedge.exe
3828	identity_helper.exe
3828	identity_helper.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3524	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	85
PID 4720 wrote to memory of 3524	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	85
PID 3524 wrote to memory of 3216	3524	msedge.exe	87
PID 3524 wrote to memory of 3216	3524	msedge.exe	87
PID 4720 wrote to memory of 5644	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	88
PID 4720 wrote to memory of 5644	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	88
PID 5644 wrote to memory of 4124	5644	msedge.exe	89
PID 5644 wrote to memory of 4124	5644	msedge.exe	89
PID 4720 wrote to memory of 3996	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	90
PID 4720 wrote to memory of 3996	4720	e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe	90
PID 3996 wrote to memory of 3976	3996	msedge.exe	91
PID 3996 wrote to memory of 3976	3996	msedge.exe	91
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 2220	5644	msedge.exe	92
PID 5644 wrote to memory of 4980	5644	msedge.exe	93
PID 5644 wrote to memory of 4980	5644	msedge.exe	93
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94
PID 5644 wrote to memory of 5520	5644	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe
"C:\Users\Admin\AppData\Local\Temp\e7ac5252708edf7dac5b6b3492a56eb72c5d8b861fca78becf51885f0cebef5e.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff850b46f8,0x7fff850b4708,0x7fff850b4718
    3⤵
    PID:3216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8486408881512475278,18309190511558916674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:1520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8486408881512475278,18309190511558916674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff850b46f8,0x7fff850b4708,0x7fff850b4718
    3⤵
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
    3⤵
    PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
    3⤵
    PID:320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:8
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    PID:5896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15368458957954826303,4710741917134960424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff850b46f8,0x7fff850b4708,0x7fff850b4718
    3⤵
    PID:3976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9448710154067346870,13165423848879220751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
66a57b2178692c27ad4a6b4a8039153d

SHA1
aeae73bafc5e0cfd97be88eb8f1303d3005f4ed3

SHA256
debc1492398fca357338232f7e79c25c844ae2c35adbdd77c8c5faa3fd71e1a4

SHA512
17bfe7732b37629fc03a90df388996f64954bbbcb84d17f40c6b3ecd8a96a9a1eaf9ba53478c5b328205397a0ad9e4dfe4a7b9225fe4d94bcf461558e42bd2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dca30055852b44f91c7f5c55fef63bc6

SHA1
8d656866b01f277688a4a910f501c7b8378fc681

SHA256
a522e4c764d55c3ae10ca47b88ea2c63db2e291bec93290d8ea2795aeb93bd0e

SHA512
ab69397e2ca174d22bbb1f2aa8eb9c497c9b1188ebf960789cdf0e085253e8c9b892dd472292feb1e8d1acf0fb38791dd48c9582bf7ee6ae5045ba8dd38161cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
937d321bc4ef054f3ceca8537c65f244

SHA1
22ee1b24efbe2e0070969f3ff134ebac35942b00

SHA256
cf678e8a8944a5b1a35e73d2a9fe51387c1d4f0350abd0fd6c1cc2201ade46c4

SHA512
4f93574661871beff6f181833e7c3184b63c5ab844cc56aefbf1ee4aae033770115d3985bc61a4cb9bf088978529b7301239e4fe542c0aafddc8c37cd1392557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4ba10df98ef75428fe05668f3bc0a77

SHA1
bf6d97470998db198200a4b83791d5916dfa7507

SHA256
028e82afce38ad54219ba4e2bc09793de40133cd2fe0e6f2a57a7f44c6445b2c

SHA512
ace7e474ee86057fcd76756e104970b20c3b9622f9715a426b0e231fee2187041cb715a8825afe4c6129ac18b414520ea97c78d644c9d0b093c81cf451c3940b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
da627401f31091f0f8cd470e6e7447bd

SHA1
5f2cb0013c36f9ae83dd8767ceb54dab33f4a6b9

SHA256
d5542d5ba4d1c6ef5105d11bc5b5f8b663396776da95ed4ebfa0f311b633e39d

SHA512
3716448e849a16062bc8985f7fdd7cf4b3cc51ea66e84933aad56b2a4a3498238cdcbd721752a4ec135ad7ca5b6a9b40ed958d1b4eb93e334fdeb5939863096a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
3085c7214722cfeeea3ebd958ca2cc04

SHA1
613f82ab59fdad07691b3c9367274592bec6cbbc

SHA256
dfe4e6ec980883396a9ab8fcb64c270dd7633ab3e0a71ec7320c3593da22d83a

SHA512
29f17eec3c381d393f62d06b634774fa937ae0d6dfe846778a76a388e018893de63e7098e4819555a45a959df4d64021cf2e68ee9b95787b70b301cd014e3ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
42a07fe741ec951cf55f9840d7c52bae

SHA1
782829b14dc4b49f3ae5b1a6a245c752afe0ce9f

SHA256
9b57c8a1722feb23f536756d81c13b822dbfae2127bba7bcc1e666a51da7ca80

SHA512
b7b967171ffecf9fcb1748c1cdf97a15861ef2ee745b69e9d585921053bb87be59708c6672e2f1c4d23dab8baefc9d88aa36ade80ff451a47f8b9840d2ee1b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
5fd7e7b6e6ff4133e060ba5c253981ed

SHA1
4e226578c86a7ecbe51ffcdc10366408fe653a93

SHA256
ef700cd4826fc83c3dc6968a6567c1f237736670164330c3cee83076f271457e

SHA512
9c9c0ff88a174bd4e24f88c5addb3c6d5e02f991791c136e27f8d1dfe56c843749d92055b3d1b3a9d502719997e443e7da9a445873734a638578df4f814f4e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
63a897eb259e8fdc0a6c06145bbf08d5

SHA1
75632953a8939f9f7ff7e3ebd44ed3288176bff5

SHA256
a8d5002f62cd00ebb987789c65161f29a4a09b256e337db077498e42e713c213

SHA512
8e03489848c4af798417e9d62d1eb95a494ea5eac4eb588923ab6df2410f4931e9acae2641d7a9441b6b708db9744049629309464160b7c8c0f92101b3fb1b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
341b438dd3f9796a6c81e32e32ef3a8d

SHA1
e3b0cd7f36bc7a3edea45d4bdc0b4355fb113701

SHA256
6fdf7eb7216bcf3192339b0f1b280224940d97cac7d7e23bf9e4e305349990a3

SHA512
92acf08591d29f2c534a25cc8e50593808ad600fb6e9e298850a59dc1038856bc9fead61b0ca28b274d7039017631f984ccaaaeb0b34f2a8df55e3ba01d16591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578676.TMP

Filesize
703B

MD5
7a67c3571d824b2b0652665ab9186d3d

SHA1
8ebf31e6ff01bed2334ffb54bce92cb6ac87612e

SHA256
7b89de1924cfe1bc3c23fc5b0e5a51bf3096ad68f39052719d1b5ebb8abbdab4

SHA512
94ce15131b43bfcad258395d5d2a171f9bb452f13749590e07328d338015b925a0e7a2fa0c87a306892bbfafb77e464a0358b259f710d06346a86aceba2fbd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8063e5d1d57744c1df69c796e4acc9b8

SHA1
42189b16851a5f213d46747f852c4affa8bc2f63

SHA256
82ff9c019c66f6f021629104133a046c3398421619ff6053eacc309ac92b9eeb

SHA512
0875150b5a4065ef132b094f3cec07f44dde24740550d44b94c47cf8e0f29bc38226defdda7b1290ca2919261ef9da0f7f0f7efe7eec87a3f0b0fde713f0e2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ba49b536c14ec8df729882ace500cb7e

SHA1
4aee534e82867837993b745b43ab2a209624c5f8

SHA256
4dd77480cfb2f1036a884d51ab76c7bbc05c5cd313e7fe0b599ba001b9d9804f

SHA512
c7316f8e8d0be5e1bae504656cb0f502ee2afd28d607076fc58f8e6feac0e7bac7b41a2203c660e5435713de35c3d8f92cb2a4325865305403d72d1dfd6061ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15cead16d03b3e1ab57009586cf4875a

SHA1
86ae77beefa216c4effbd14c06be2dcaf1006788

SHA256
bd71059c3205f0b85a7f7cedb65d1dfb3ab2cf4a06c649fb31a3ac270260f813

SHA512
690c927133411ed75fd31f71a3e7e07f900e1828712c99219cc8cf1ebd3be61bf9d99a92bb06ba73716755c8b5c694a1f0d8ba80c366bd6f5044d2dcc1dc2568

Download Submit