47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
Size

897KB
MD5

4372dd6fa64acf25d73a7c61f7f9d605
SHA1

e1fd6e1a9923df1c308f2ce9f99d9ab215e39cfb
SHA256

47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d
SHA512

5707e556d36d9a4f6e2f9bf7ed2c78ab79db4fd655d7a7e97cd5aa95e72c1a8de10c1427b34c1cd5b79e7aea52f6095d125f117fca1395555a880ce1a9464275
SSDEEP

12288:VqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapTp:VqDEvCTbMWu7rQYlBQcBiT6rprG8atp

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
2028	msedge.exe
2028	msedge.exe
2540	msedge.exe
2540	msedge.exe
3264	msedge.exe
3264	msedge.exe
3224	identity_helper.exe
3224	identity_helper.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3916	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	88
PID 3756 wrote to memory of 3916	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	88
PID 3916 wrote to memory of 4920	3916	msedge.exe	90
PID 3916 wrote to memory of 4920	3916	msedge.exe	90
PID 3756 wrote to memory of 2540	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	91
PID 3756 wrote to memory of 2540	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	91
PID 2540 wrote to memory of 5116	2540	msedge.exe	92
PID 2540 wrote to memory of 5116	2540	msedge.exe	92
PID 3756 wrote to memory of 5100	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	93
PID 3756 wrote to memory of 5100	3756	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	93
PID 5100 wrote to memory of 3700	5100	msedge.exe	94
PID 5100 wrote to memory of 3700	5100	msedge.exe	94
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 1460	2540	msedge.exe	95
PID 2540 wrote to memory of 3280	2540	msedge.exe	96
PID 2540 wrote to memory of 3280	2540	msedge.exe	96
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97
PID 3916 wrote to memory of 4796	3916	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
"C:\Users\Admin\AppData\Local\Temp\47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff90246f8,0x7ffff9024708,0x7ffff9024718
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,10184982328422309419,6607484727183432470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,10184982328422309419,6607484727183432470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffff90246f8,0x7ffff9024708,0x7ffff9024718
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
    3⤵
    PID:1684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
    3⤵
    PID:3316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
    3⤵
    PID:1564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
    3⤵
    PID:5300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
    3⤵
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8876265159744006383,15896534781969852363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff90246f8,0x7ffff9024708,0x7ffff9024718
    3⤵
    PID:3700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,13299761930901471221,14303041290468272069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,13299761930901471221,14303041290468272069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b4f69ca52bdcc4eacc22856038d1c636

SHA1
6686b723c9c5042a5cb64e6037afcfe564a14204

SHA256
8db03fbf3c9590be8d8e7e94c421150be2254029786f9a4fa4c4c0561d20e4fc

SHA512
38284bd18107be5ccfd0ebcbca357071af0f51a0a8138f7ad5df42fb0db8a816e1d9322b5e8416cb648620163329d8968f51df39f9da8c5dae7be593d43fb787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e2a22b834e320036b16971089b9c8d39

SHA1
8868517dd0bf2c1d405448bcf18c8788490a924f

SHA256
068956200bd7b6a36a9c3009833e37417e5c7234901fedc3e4df448c55d7da27

SHA512
522371204d30e0a4db036bcb2383df84e6cfa4a638a3561e20d07a15699fb635179d203b0472dd48f0304d6251a61840b235484bd05cbca1ecfa54195a6c58ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
89ae6d474096e94d672521ed0f64921e

SHA1
e53c4f578f3f1c268f38d49cb5716f58b1ce3e5b

SHA256
709d81ffc3dedaf8e0b4871bf9254fa238eb1bc8f3b70e7a8b07f65fa30299bb

SHA512
66a12e0b87fe72eb80274bb24ce914a0ce1f326cd891ff386cf970b4139b84400eaff520611f64fc52e8d8e347b4ab1768ffeffc434c9e100c846be662f0cbc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f257aed5a056899d2593faa1bd50146c

SHA1
72d8592c5f5bd1414de79f0bd89236a8aba5134f

SHA256
41331c719b7d85f826c87f897e2eac9b667a2f852f8310e037ecb8f8cdf48bc9

SHA512
4daa89a73a5789bb4380a2dd75523f37a7652e5139c0d320078af3a47beb67bd1673fb4dd445e2f508d5ef46564927b5a03233597bc7ae3fc20f1f3e875b31a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3a95a8ad2fc1c1e821e018599254bf96

SHA1
86d2ee5cbb467eee2c52262dbf282e5227515f82

SHA256
44568cec359510c8a4079fdaa3bbddfe2309d178b54a23e488053e91adf59d40

SHA512
d28047225ac0fc3601b74cd3c5d653afacfb0eb1c04ff4553edcb4acb0bc1864e4a370e934abd0c05ca66d93e058e230ea8b6e7f0966f4be28a0efb91b2915f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
023ba820378f0f46a8ebbc9897993d01

SHA1
e693b3cffad47917be5fa67d9a5327aa5be1f79c

SHA256
1bd185f913cf0475b38dde1897df5c3a1caf594792d6721a234b7d9043ff0aac

SHA512
fc1767997c6d52af6a163bb7e7e2ba5a0ecbba975594706a899cfb0a65c41f75c3aab47cef7693160f36a35c389154e345bc719a40f909a01e7cafc13ddc00f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f3b1c7ae58a49e18f950b6d91eaa0c0a

SHA1
f232644fb939885af19b5f92de3d79e8d3e270a7

SHA256
51eddbd291a8e411990bc2c4cf75744b7ece5a7e2f3a1338cbf2f2d000d74893

SHA512
890f5b7a30818533a16b32b798b306192055cc44f211fe780f6d07da39a420c8c03d2e2fb0fd89d08a49f0abc713e0e1aa9cf377cc6058812fdbabce3710ffec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
508750fd8034f26cbadf60bc6c5ec500

SHA1
ea4f8f8b73818ceff991ff466b184e47f35a111e

SHA256
31c69d8dd6afd2010f33cd39dd70600b90407d5438044a3c24ec7559130f4b1c

SHA512
4f40ae2e66d1ad758d3ce840521b76d7a91301bd9b8f6df2b9519ed490fd156b7763f5d0b51bc3304a36eae33591f683510b3c9a5cd1f58240f46a7cf2130b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
4cc5c8a765abd15b42ded473dbfb83da

SHA1
9c62b23286eda4ec6a92dd04b490f1387145051e

SHA256
3a2c0287306c767f245151cc5db2420ff21caa389f551dc3559e2d41cb908b4e

SHA512
1beb9afb688d47e792ff12ad2a86bbe7efd3a62a129b16222e9fd5c0bd4246350454d4440b057883f3365d407902ba50987489821bd9023854c12906ba349eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578e46.TMP

Filesize
539B

MD5
92ea92f34de3c554b4a36b9024132aec

SHA1
8e8db2e7c88de993d2e902ca29197d97b7750ae1

SHA256
7f5df16c1c965684ca6c8a4f8b21b7d933ad8b19606d6a359a3cfc27589a5e9a

SHA512
1df9c858793e372cd2a743f55d6f62f0ef8f89c73123a6c87effa0de53ece427170032ef48c22803a9c91690d01a8061c3d66c9cca4c51225115293d40559156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e96da29ced4b0b8ffac86ad198a66ed4

SHA1
3c6640db2a6b66fbcb9556494c26b9cc625dd6ce

SHA256
6ff059ca339a261e9994b61473b5d6b3dd7696900608420dc52ddd4ed9998fd2

SHA512
88e713663dbf3b0a344ecccf88e510cf6459c58b321e043c7d0b5316c185741ad4af4900c07085da0ea8fffc63f34b81a3ae9675c502681021bafffe0d36ecf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8ffac7e3d32cc32c6aee3d5d4ffc423e

SHA1
62715bd875acaf49e946e4f154f866af619dd95a

SHA256
2ac23392a962ce2172aff8ccb917aa893e2a7a3cc8fc8c289c423e710c38748d

SHA512
f1d794e1ced6e1e7b8b114edd007bdcb2ecbc109c51e141a8038da999b5e0b616c52fe1b1c883ff69be393f5e38820832f4ee618684e9a521b1ac12dbe3808b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3ac8a1e0afac2be27fe6b8b9cfd85242

SHA1
0f3736b705b5c51fda1e94be5abdc7f360bc41d3

SHA256
a989f1bf80f03b599c07d3950d8463de73887cfd26ffd113171ea3ee1c9482d3

SHA512
e094aaa98e44df3e1acf9dcefb77a1bed5c779c193a9e91c16501e051a7ce08f5171a5660195c5e0ac6a36607115a12b1223dce92350601280e6e9570771dbfe

Download Submit