4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
Size

896KB
MD5

7cd535b68c7ed643b290598d4e735722
SHA1

1bf6a94e1eca113da8c717221d4e2ad49e2b72a6
SHA256

4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0
SHA512

763f7ca41a7fb3115bef0f1be49835a494db666df5edd1d235b21a3bc421e87abb05fe5288a36655a80f17b3d5eefcc2011bd99f9d2aaf3576926a76b6fbfdc0
SSDEEP

12288:aqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarT+:aqDEvCTbMWu7rQYlBQcBiT6rprG8av+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
2824	msedge.exe
2824	msedge.exe
1612	msedge.exe
1612	msedge.exe
3936	msedge.exe
3936	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
1780	msedge.exe
1780	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1308	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	78
PID 2412 wrote to memory of 1308	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	78
PID 1308 wrote to memory of 4300	1308	msedge.exe	82
PID 1308 wrote to memory of 4300	1308	msedge.exe	82
PID 2412 wrote to memory of 1612	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	83
PID 2412 wrote to memory of 1612	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	83
PID 1612 wrote to memory of 4104	1612	msedge.exe	84
PID 1612 wrote to memory of 4104	1612	msedge.exe	84
PID 2412 wrote to memory of 3160	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	85
PID 2412 wrote to memory of 3160	2412	4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe	85
PID 3160 wrote to memory of 1456	3160	msedge.exe	86
PID 3160 wrote to memory of 1456	3160	msedge.exe	86
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 2340	1612	msedge.exe	87
PID 1612 wrote to memory of 5100	1612	msedge.exe	88
PID 1612 wrote to memory of 5100	1612	msedge.exe	88
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89
PID 1308 wrote to memory of 240	1308	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe
"C:\Users\Admin\AppData\Local\Temp\4491849960575346ba053221a05d6673f4fa032046705d26194ec37feb13b7d0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d84d3cb8,0x7ff8d84d3cc8,0x7ff8d84d3cd8
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,17040979129935813002,7545992470550988213,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:2
    3⤵
    PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,17040979129935813002,7545992470550988213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d84d3cb8,0x7ff8d84d3cc8,0x7ff8d84d3cd8
    3⤵
    PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
    3⤵
    PID:2340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:3900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
    3⤵
    PID:696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8742137527774707517,5950595549005705537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5140 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8d84d3cb8,0x7ff8d84d3cc8,0x7ff8d84d3cd8
    3⤵
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,7971428563553208671,12173668364733160386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
696ffba7b83ecf008523e96918f200d9

SHA1
970d90e22c8b3674fc33cdd1913c51ef28514255

SHA256
dc6dacd725d7385b2e4db1f488d93f2840d2289efdaaf3737849304d1ab9ba34

SHA512
f8528683b70b58376f3eba3338fa6b462c9e9248c72524573005cff6397a0556bdcc2fdc2ebb020ba8218bc8174ba552002f223a245dfe3d3688826d24d63237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54caf18c2cda579e0dad6a9fc5179562

SHA1
357d25de14903392900d034e37f5918b522e17c9

SHA256
28d77529de92eb605d8afee0e133a7d08e13d4386e5e38d63e2da34623eaad6b

SHA512
88da5a33df9d82408afb8344ec7dbaf7686435fdb55eccfb85d5560f39861e84cef5d71949d5efe7a191778e6be755a8448f3fc3d7043007037f9f5227e10210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
775228cc658f4f34df3fa5e41502dae0

SHA1
7a2bd1a965406ea753b487d1501be00d3c5d6ee6

SHA256
c68a3e5809c8b1d9ae23a51ce35fe9c679b911517f4c12083c9045aa9b7d7dc6

SHA512
5a7adc9f2f4831f0c634c8898c745dfdb3c27d9c74a6335d4d79237c8979cf4739062ca5a1c505bee36eb09066e17b04d116ffa11f5853f252c847e99708f601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3821c547da564d4f4e651fabc58b7023

SHA1
f1a8f1d2f5f48d894475ecc47139aaba6cf1ffc5

SHA256
ad1932b359d12dac7c81ad609a02563c729c2e478b36a868fcc6180e89e13fa8

SHA512
9fa0827083ce57a0fdb3b307cff088511fe64f51fdd3a0ea5ea2227519b56479a80d80d524de4362d084d9a7ae1a8a633f54b832313b557d19bffda4a48c1746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2a5ab807e881b98d102ccb5857aea841

SHA1
1c482a532adf7b01d7d3dbbe282b8b5837e74add

SHA256
1d4200b14637f5c0b7ce5621011fbc36faceadd417c01f626d525614bf910fd9

SHA512
16191b3a4b778ed60dce942c15b573129ae98c1f57c65b62e93f68be401ba92dd1c95f09ca95216809d5c1354c14a9b92179b56cb499fb6218d541ebde390860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b494f2f72ebd7c957c581bcf44dd4fd7

SHA1
b17c3358a4c8e58fac2b3c4324b46793c47eda89

SHA256
6765334e380514b614e93ed34c302e5dcf5c6d6af045e0b9c63fdff05fb122ca

SHA512
f8891ad43ec5519523e8442e5158ab5fe0375d758e5947f2c900da687c94cbf0e7fb01380c95299c413197731bfd54f8efe0c688033afc0be913379af0e9490b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7b6acd3191e0a7379103ef3d3f1d8470

SHA1
cda8837c112b869f89e3b20344e120416f4648df

SHA256
c1c26ee0f836d8f75e2632bc16b0616cd96e1e9fbce3af898bc5b92d217e5fed

SHA512
d114b3b3690c7fd6a8dbf53e5ca2add5c940f5782ae8009ac2c5e3fd924e4a4b4d52c285e00e6bef21cab18c493198459ae5792cab73bf4e882458dac544aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
58d4a02628edee1749b71cef3505e463

SHA1
3cf7663d172d0ca841464679097cb144a3229ff3

SHA256
8c9c7048908c52efa674dd6819f1ead2eed19443323bfa0d30187bbff93f4987

SHA512
6f5df939c3f55abafb50817aa79a40f8e61e1455c993f76f97edd713adfdc083cf0ef5fe9237831e852ff1642120b89ebe97ef4081622bb98e7e13e6735a1a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
b2e6a1d33dea2c9dc0470382210747f2

SHA1
83a8389b28186730da8f6cdfe7eb55cafcc574c8

SHA256
f02ef1c065a9f6fb54829382f69610eb0268b74c20cbf86124d38b7e17dd126c

SHA512
7d2d2db43575be52f11a3ed69c27b89b830f7186c77d232bb398e63bd730a1d84c86dd1aa0af98f117bdb23d1bc40b636fb0a133bb4f78cd607dde5f85c482ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
535B

MD5
eedaa3cba89d835eae0da0cc594e9301

SHA1
958a2515b4f9098cb3cd83ed88b750301b39ea41

SHA256
a4a95b9106532e13f11dc20cff4faed74040993f45342694c84f9ee2e1a19237

SHA512
7cf8cfaff6bb468ff11137a5f94276c6b83e049ed777f9345d5e27e1ac8f6a6204401ac1584176c9b09c54b6f37b63f26f866b56e12d79e1b843c0181be3a7b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
02fead40ec7c2fe6818b4c4feca61772

SHA1
7f189a44c16138a040626f1d9b151c59a40a3cda

SHA256
a9e4f03517fa07e918cf71cf2d4458bc40fa8a8b79e2df1b24d62476859df430

SHA512
8c9be21631bd827ea38af50abbbc9f7476cb746e39f17072e07c7b1e116e40c059143c76d274628c1c1aefe070348873b1f56855dcff30430feef5968e9c05c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
535B

MD5
27f51221d01462b4fd67646f5927032b

SHA1
90bfcce05b3ee5fffb5b48b5bbb49d27a885e2e7

SHA256
01cb0d4b3b7b0b546d1624e98d3e86cdf6e80692beb3fab794481924744ab9d5

SHA512
d35ab468f29dbc85ceb58bce62494fb462f32866b236318ae3b56c867a15929a0cbfe0bcb1132d5512ffbb02703b6fa4719ff4de4c987cf9baf8d80f50e79859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b5c3.TMP

Filesize
535B

MD5
e9f742d5ca61c2ce028ecd6322e1d612

SHA1
57c7d02b32ecb930b4e1ccb2e556656e05f6de4e

SHA256
71907bff22211f61d9d9f159a4b404f59e9453b7606d2b18a36998908fa625a6

SHA512
6ab3772ac9c556204250b56a83c5819069160c950d2b897b9df9c1700ea7e53c84fd9dff59f7ea73ce4d96bd2bf53347332cb119195c9313a9f843414b8bd88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5ff534f47fd6e3b4493be6457cf955ee

SHA1
2038460f1fa1890194be0ab6457719e4c4b6ae79

SHA256
e78cd35ecd541eefd8517525ee3041afe88bc134fed7c5d34d9c586f399152c0

SHA512
d8f03dcd49c0028d269c925a797664b693070ae9d4ab10181f10eb61d2eb973b729cce33d573874046f1f62b0b6b2aee828b12a633da8eb1b5bf433ea2bb8123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f73124b06fdb85b2deeb1138025cd005

SHA1
e2951a1f47cb2f80a5a68580ba925d27b9af55bd

SHA256
1d384340f3f24cbaad1ef71aeed74057ce4d88eee666911a1ad7606536b953bf

SHA512
f064ea2183176261912618c2f00cb65dc8cd2acbca73aa3f3f7fe9587c3cb91b47b5acbd79846c1c9b039d0d895a8b067a0dd41ca22271226358a17e8f2c0f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7167afb7a3ab96eab0a0c753dfda1c5a

SHA1
25014266c0ded1853ea824a246bcf6d37eca4278

SHA256
43cc05c431dbfc9e6b5713e4535a1d8b91dfbc7e1b841eddb8e3e0ed4bd7b375

SHA512
9ad06a5619c025cafbbd967e42f0954aceb2cbe3376f5129de66f811b5bbf3f223b5a4c6ccb8188a487399359cbb1cfb3b47ed23412bd5de8a423cab263d6256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5df3f81b024ab4a817c7405597de9b29

SHA1
2f2560424da00aea31af022129243e6343307305

SHA256
ee2435ae772777f6966448342b1e83ff0ee3005b18b860b8a39dc19a78287dcd

SHA512
da81b01af7f8645454cd3ec77ac6754d638d089e887c5e924857ac7acc501924642fddf625dd837d13d3f568eec92b5e34907b9d8a67c76d7725c1ce9081746a

Download Submit