4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
Size

896KB
MD5

7cd535b68c7ed643b290598d4e735722
SHA1

1bf6a94e1eca113da8c717221d4e2ad49e2b72a6
SHA256

4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0
SHA512

763f7ca41a7fb3115bef0f1be49835a494db666df5edd1d235b21a3bc421e87abb05fe5288a36655a80f17b3d5eefcc2011bd99f9d2aaf3576926a76b6fbfdc0
SSDEEP

12288:aqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarT+:aqDEvCTbMWu7rQYlBQcBiT6rprG8av+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
4540	msedge.exe
4540	msedge.exe
3752	msedge.exe
3752	msedge.exe
2900	msedge.exe
2900	msedge.exe
3940	identity_helper.exe
3940	identity_helper.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4540	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	87
PID 2188 wrote to memory of 4540	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	87
PID 4540 wrote to memory of 2316	4540	msedge.exe	89
PID 4540 wrote to memory of 2316	4540	msedge.exe	89
PID 2188 wrote to memory of 4028	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	90
PID 2188 wrote to memory of 4028	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	90
PID 4028 wrote to memory of 3444	4028	msedge.exe	91
PID 4028 wrote to memory of 3444	4028	msedge.exe	91
PID 2188 wrote to memory of 4928	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	92
PID 2188 wrote to memory of 4928	2188	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	92
PID 4928 wrote to memory of 3200	4928	msedge.exe	93
PID 4928 wrote to memory of 3200	4928	msedge.exe	93
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1636	4540	msedge.exe	94
PID 4540 wrote to memory of 1516	4540	msedge.exe	95
PID 4540 wrote to memory of 1516	4540	msedge.exe	95
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96
PID 4540 wrote to memory of 2012	4540	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
"C:\Users\Admin\AppData\Local\Temp\4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa7d8e46f8,0x7ffa7d8e4708,0x7ffa7d8e4718
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
    3⤵
    PID:1348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7943505604278839828,17193745474368348068,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7d8e46f8,0x7ffa7d8e4708,0x7ffa7d8e4718
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8041492583959710221,16729068222043033348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
    3⤵
    PID:892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8041492583959710221,16729068222043033348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7d8e46f8,0x7ffa7d8e4708,0x7ffa7d8e4718
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,9478667716063292221,17782361325808742931,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,9478667716063292221,17782361325808742931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4cbd588f-76f6-4ec0-a979-3fbef004da66.tmp

Filesize
539B

MD5
8fbd8975cb98435012a5a81b07a962bf

SHA1
a546edc95919664656665b17db063fc1b62fa226

SHA256
e9e817e523847a305359c36e32073e34e90fb0930daac6734ebdd3832a225d66

SHA512
2e20e6df3b2e7a404470372d2e0d2b4afb0833d658d0ea6d40539dbc42345e88748d0ee1bbe8463e2ec49fa0a1a86f16bb367f9c84f44e61bfe7c1f7b5665f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9cf1718f65ae4ecbf185ae8a6e804b9e

SHA1
3837b3e5a9c0e5623a54efd0f4e3867628317ca8

SHA256
4341ec856e25bf48104b839be6650df71e573cdd5def1495dc269e14e010c9f3

SHA512
9a007d2326d629cdfb7508f29015b3399be850ab6b45daa4f37ba26801ef9409f0cd0f205bec673265ae47067ec4f48ec2b289ccfde26020199c32a93ddcb925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
84381ad0d5210d4fb7cbec7ee13c2456

SHA1
140009137c643669413e86e4e9d63df28540016e

SHA256
16f60c913aca9f4eb7c7b5879a908d7e6bab8faede3241a6c5352fbbd2ac9fb8

SHA512
5c12f285f332cb9a0b4382795157b6c799acebfaafc1330ffdd3fed77ed7325de07ef5f7a4ea88112e295fafe144a777d86859d3076c78206a96a7982581c934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f5e460d00d2986803e557525817d9a1c

SHA1
8a2b802bcfaed11cb198994372b67a1cdd249dd0

SHA256
c4c231897ae995681c9f23e89e215728ed14beddd49e6b06f8f6063756b5d520

SHA512
3ebd62451bf3d54d6172910e6252beddfa5a25096b52d9fc05a223afde704192f9e8b6e15703359ca59aae19e18f84ee893b955f27ca4cf8a210aa933a30d682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
08d6d13af1d2e55197fdf1e9dfb56656

SHA1
a67ffa8f2b6a87b3b4521ad23d7db1154fd51920

SHA256
a3127c54eab9e54da443b2a34aa779016deb6d33ba41dcc1372a701ea4d6119b

SHA512
e9b5021db451b5391196ccf96492e6c0fc25c470a0b4f4c5819809699596df3844f7723a662cb1913ae7fcc41cb16c636b154ce73988471f45033addc6b1a58b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93ade955b1af75597a6a44e543ddaeab

SHA1
eac211f9d3c57c87ee653336beeb638ab7411f28

SHA256
e9f35b6ed8ebf0a2405e3adc906e25cc9ccad8fc23773115dd30c0b4cf4be16c

SHA512
71e193e801bd33ec0a78a946fb9274272dbc62a26098631d81db1a843184bdab0d3bbc4834f49f15ecb51637dc761d1bc14c3ec1dbd7e73ca84b5072283d89c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6b50e49844b4e802d1110dca5b33a763

SHA1
3babea3cbca4438c33e95afb93f6512b566d3866

SHA256
9d3a874595e63b7260ebc130c4887ef8cb7dbcc8f1022d5eccf2d2e3f980aa24

SHA512
0de6e790eb57ad7d6a2555e18ab24ad7720f29f6b65084913f6935b58986879236376273294a9d084c03bfc5e95c89ec9d0df4718f426eb6eb680ed5f9e74dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
83938b84535163b82f836edc3e09ff0f

SHA1
3aa551ee5c274e2b4651b7df390bda8d241f56fc

SHA256
0a6767b3971e273a4024d749be8371417ce74f182b5882139eaed587c3ca2c8c

SHA512
f59ac49221de50576f76c54bac309096975991b141f49a856ee1e791d7febaa01a14d6d8b414bd5eddfec66b90f081f32b8c579f4b4300624478cdf05ec802b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
7ecccb9fac3e20228007ad94d6aa5969

SHA1
ac366ac860ada0680be5645e35712d789d5d7562

SHA256
64422f7f717aaf3b87f75866dc163856e5204c8200fc7b5e45a7ca908a872a92

SHA512
495196cdafbdd11ab484c7b6effde200e0f62376fb74d3143f7e321df1a996c1a33470a89af0af54ace33fa8e09f693d469dd716e2143b13d5a4ce12ebf8704d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
723d54749fe9e9550727b080eb0fddf6

SHA1
9fa44d4231529a63569bab1538349cead6a35b4c

SHA256
be8fdb5fa1b3241b51b485324b14ce35f1b6ba428909dab2f64cfa819976c839

SHA512
0d8ae8cad72ed6f52714b1725e14316a85d0152f262a3d3982f88e6fdc32bc4606e54e2a5830e2b3a710269df4f70317933e8dcd0917a9f2da0d539a1e207869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe577d8c.TMP

Filesize
539B

MD5
f0d3579b6afda6eb96837ecf71ac0c5a

SHA1
bad5946fb0841dc66c89e733b3b69120a0fd1646

SHA256
6f02ef23138dc45ef22818d423b51188f88d1c909c40a36671405fcdf2e7ce87

SHA512
4d284608f08733435e7a423299255881dcb57d07c76388569c2ecb05eaab2eea92526cf9f6e3f8f60f0d1bc83beacd2b210fa36cf43d1e071e256be2eedd5312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7fd065c7baa7824c371f003803ebb70b

SHA1
87f56eee1a5ca65e3e54deddefde8f87b71185d7

SHA256
f98fdfcf131a60f9d14d00225514c79aa185502717785689673a1de4f163ee57

SHA512
e243efd56a9067b18c814c9f6cbd00937fa53ced94d04f3d50ac9ad3980b122ff780db4ff15eebdecc82fab3f74ea71e2d748e3c4a8fb87533055d216dde781d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ce58ed3e589dde94637c49dad32cac62

SHA1
2539e73dec41ffa83e5874509237147d49f676db

SHA256
f707653ed6fab3ed6094714f72a28ffd1d72f3e516213a2d19528679200c47f3

SHA512
d4b14ca73ac45d301cea3cbc3a0adaab13bd0a24df5548cd09feebf659796b62922342a22bac013e4a42d39e8c71babe2600366cb6d1e0de52fe2668f1a0f10a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
102f6c6f3e6dae1cca529dda66763a95

SHA1
3b75345112da068eed60a322181423597fce2489

SHA256
3e509b908c5b89df40f01d647ad67c47b26f25135736f6ca3e4c1eec1fb1cba7

SHA512
811a2526fb500d289e4a4dc0996f25443b958b1b54c246bdee835cce66a5446112024540bc4005d6a8185ec0b7d51b1a78d92053973f503ca9b933e2bd44290f

Download Submit