1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
Size

896KB
MD5

64d71af9becf801cc05ddaf273538029
SHA1

0816d61b7507f62d2c5ed17197f857745d5d671b
SHA256

1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa
SHA512

25e2ed48cf8dc0c2703d921b4219dab078ca713a2b052df01141d09fa87502e03de86360ee7464b0067a427ae7d19ff9ce761a83ec472fa029d8f50349587c3c
SSDEEP

12288:2qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapTS:2qDEvCTbMWu7rQYlBQcBiT6rprG8atS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
908	msedge.exe
908	msedge.exe
4448	msedge.exe
4448	msedge.exe
1920	msedge.exe
1920	msedge.exe
4100	msedge.exe
4100	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 908	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	79
PID 4600 wrote to memory of 908	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	79
PID 908 wrote to memory of 3564	908	msedge.exe	82
PID 908 wrote to memory of 3564	908	msedge.exe	82
PID 4600 wrote to memory of 1460	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	83
PID 4600 wrote to memory of 1460	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	83
PID 1460 wrote to memory of 4684	1460	msedge.exe	84
PID 1460 wrote to memory of 4684	1460	msedge.exe	84
PID 4600 wrote to memory of 4180	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	85
PID 4600 wrote to memory of 4180	4600	1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe	85
PID 4180 wrote to memory of 892	4180	msedge.exe	86
PID 4180 wrote to memory of 892	4180	msedge.exe	86
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 976	1460	msedge.exe	87
PID 1460 wrote to memory of 4088	1460	msedge.exe	88
PID 1460 wrote to memory of 4088	1460	msedge.exe	88
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91
PID 4180 wrote to memory of 3328	4180	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe
"C:\Users\Admin\AppData\Local\Temp\1a3e2089a2ebc017bf4c8932f1f198f8b156102e5ec662dbd0bd7c0135cbf9fa.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9ab33cb8,0x7fff9ab33cc8,0x7fff9ab33cd8
    3⤵
    PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:8
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
    3⤵
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
    3⤵
    PID:2696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
    3⤵
    PID:1520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
    3⤵
    PID:3572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,17937585045467537322,6480446180057617418,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5244 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9ab33cb8,0x7fff9ab33cc8,0x7fff9ab33cd8
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,15302664071638834071,10240160875607086380,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,15302664071638834071,10240160875607086380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9ab33cb8,0x7fff9ab33cc8,0x7fff9ab33cd8
    3⤵
    PID:892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3200893579497775785,5837458801367643201,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,3200893579497775785,5837458801367643201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4fa8bfe6-c2de-4f97-8762-c5e176e3c047.tmp

Filesize
707B

MD5
6ed7082c2cfbedca786710e71342d65b

SHA1
16e7660c37023e0387969cdfc3d195582d19b337

SHA256
3018afd382be30c032f8d70827e135590ff7d3cec6d7dca0f67130642b23cabd

SHA512
c21370ba0e2bd14d506dd199d22e9cc1f0869814f6589dce2d1ff5b1f5e139144571b2632f071e1fda541e5545ed6d026e1298ce503d0afb9f55854bb1cc4e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
ee456aee41ecca2b7c6e42ea199d93da

SHA1
7b77188f3379b40d78780dc312ca55e86170542f

SHA256
3e51deb0a9f364178f16fa8192054212d094665eb53397881eaff94df577db80

SHA512
77f1e541ac09c5f7999058588c354e4118c78f64eedd53161aca3aaf670629fe6f8e4bc8ca6a1e7691905eb7c6f490114ab2d8e957ef29a09bde41a743e6c395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
78b172372bb4dd32e1b0a2d324f7c51b

SHA1
0cf4e7219ac13d33de716fb611c998535b6bfe6a

SHA256
e0ff1e2c132fd679172cc5d804556ba0a4b9abed6fed26bd9180b16cbb910c3e

SHA512
1f205c2e6ea1959970449483f740224a134032482c4dfc62b2494a09752658653e6864359a471a386debf7f01a77350a69f92c29e2c2e7ebc7965f969d7914f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
354cd38c5a6d36bf491cbe4c132296c5

SHA1
8fd62fc50fec09b5e1922115d0f335c8cbdcbb17

SHA256
1fea20af8ed862a03878f264a5a7b264f46856fc8f69b0236229d6f2eeefa010

SHA512
24a61123609cb18180726c6b0082cb08c0755852ed682b2f4a58b9dcef877364ac9a4fc2120b0df009161605e00cc640c93f92753d615e447c661f6ef0690256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d0f8610273332c5f1d5d57d7aec3fcc

SHA1
ee11e33df39fc374a8980534f631248bad145537

SHA256
b27a9cfcc195d62cd67e3431907e3bedaa26022c1c96cb8ac3b471e84bb87ee3

SHA512
8ee45570a8ab4c351b08fed9edab3923857903bc0d60abb7c0c98904830cad44d20c1b02a1ea1007d47cfe5ae622498e1b6f0daf93ebc0f55a3d38647fea36ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
881ab3c03dc15696604a9cd9cd5e1bdb

SHA1
c1d9db5c5a174a812a36dd9e448ae7d700375dfa

SHA256
af03d97dcbb9187ff2898739482db23ebf01b3a2fa1469236514942f0f2f11ed

SHA512
8b1e47026c14e7dd38f45d91cb454968eced0738098e6dec4d90f6872245b6242827b1b60e3a1f9a72fb20681d53fcc371e6f55f31d9bcb0a462d152d2c8462d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b19fcec3cb3d40eab549b072cbabb947

SHA1
8edc7dd111545bf295dc267d9f0be0b1264ac3ba

SHA256
45bf95f9dcc7aa431a5bf004b065d821d1f95864f128745e67be6a672b32f935

SHA512
c5043061ee1943c482cb6ec0a05a2f1e4048c048b51d2f2669eca48f12ba4e2f78919c87b8b4127a34013425660cb34517a85ccfab3fbd50284198d801fbfb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
d2bb072c5705b9a15d022462810d9054

SHA1
e1f809a8ac95c732827838910803fef4dc9b3ba3

SHA256
a591f1219a41f3c339b5c7492b4f8c3b99c2476590760e74fe940f59991c1a49

SHA512
cc08a4c1f3461de97e16f5591e6caa994db9f58061c76dc0e0bdadd297b2fecde3b95992608a72c5f50d34d16bc60c74a97a2984b8171e9940acb973df82cd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
94fc8abde3fff6529577bca98258b672

SHA1
f9a699af031baafc5946b9b56122888ad2a6e915

SHA256
089046122d7cf86527ed47b2325423947dc5a134d5893b4a305a8317f7b7a28d

SHA512
191a58f86b1f1dcda57e2a1bf960ca9e95247643b69c3bfa2fc63eab8b5238d2dca866bc13867e1292a17af4bfa2eed2efe1bcc7b2e92fbbb5ffd7bc2e5ea104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579a8a.TMP

Filesize
707B

MD5
a583ccba4aa7df28c7f9a9a35e6c932d

SHA1
bd2473ec6aae5a0abeb7c95ed896e89e1c2a5291

SHA256
8ecf2100219095a0a8ba34aa74425f7a05283b762055e0fd06c4cbf2b60c06b6

SHA512
8f969fce82d9518f422a108400796b0a0b7b97b8dee8b1031d48e80c99838890b55fe609d5eadac953a5dff3997b522f2487e813419e42520a86bc64d63c808c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5a82b967aceb9731fd008b4039210ed

SHA1
3ec2bc4bcfe06d71debd43699b5f872918543962

SHA256
670fe704ca1cb2369a3a80d67f9b5f4511b6755aa4c2c44685174fddef23ce14

SHA512
e06a8f736de434b52f95727effcb908b7bb05b8a9439f161390894f0cf79942d0ab02e292a12ebeed518fdae5f4b08d18a6815f427accddb51377cf2b1a84ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8fa47d218a8b09928a667748518cb2bb

SHA1
bcbfb9167c2186db9ad63993d96dea21febbc55b

SHA256
cdbe34a8dab4cd17b4bd446017fddb98ac954e00551d8ddcb683272106862661

SHA512
10413e0693957ced00a028f98e0e32c81804021de7788f714e1dd703279789cde158bed7df328cb4ca94b4a8ebd987009a8d4bea9246a18b15e159f278c2e043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6251d6eeb11908500735823e44dcfad3

SHA1
ece17b61460e22a85475dc837bf01852d045fc84

SHA256
ec38e5b7c212ef4bd9e10e17339043d3c0aaeb0adac3795db5c290b62509b6b6

SHA512
81336a866528d0b5ce3ca9e1068c244139c4800511d1365e51ea5f9137b4dfc37c3e458819c47662a4d7ca118cebe6efbf0fd948f4e7505c56cf91d2fdd3fe1c

Download Submit