47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 00:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
Size

897KB
MD5

4372dd6fa64acf25d73a7c61f7f9d605
SHA1

e1fd6e1a9923df1c308f2ce9f99d9ab215e39cfb
SHA256

47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d
SHA512

5707e556d36d9a4f6e2f9bf7ed2c78ab79db4fd655d7a7e97cd5aa95e72c1a8de10c1427b34c1cd5b79e7aea52f6095d125f117fca1395555a880ce1a9464275
SSDEEP

12288:VqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapTp:VqDEvCTbMWu7rQYlBQcBiT6rprG8atp

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
2468	msedge.exe
2468	msedge.exe
5032	msedge.exe
5032	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe
1188	msedge.exe
1188	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 5032	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	78
PID 1496 wrote to memory of 5032	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	78
PID 5032 wrote to memory of 2480	5032	msedge.exe	82
PID 5032 wrote to memory of 2480	5032	msedge.exe	82
PID 1496 wrote to memory of 4584	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	83
PID 1496 wrote to memory of 4584	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	83
PID 4584 wrote to memory of 4212	4584	msedge.exe	84
PID 4584 wrote to memory of 4212	4584	msedge.exe	84
PID 1496 wrote to memory of 4908	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	85
PID 1496 wrote to memory of 4908	1496	47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe	85
PID 4908 wrote to memory of 1020	4908	msedge.exe	86
PID 4908 wrote to memory of 1020	4908	msedge.exe	86
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2064	5032	msedge.exe	87
PID 5032 wrote to memory of 2684	5032	msedge.exe	88
PID 5032 wrote to memory of 2684	5032	msedge.exe	88
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89
PID 5032 wrote to memory of 1808	5032	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe
"C:\Users\Admin\AppData\Local\Temp\47b280fd303a029f5a06e52f779ac026cbe976c18ed12defb6c406084a3f111d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd52c13cb8,0x7ffd52c13cc8,0x7ffd52c13cd8
    3⤵
    PID:2480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
    3⤵
    PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
    3⤵
    PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,3078975392146111618,1281189988639883532,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3068 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd52c13cb8,0x7ffd52c13cc8,0x7ffd52c13cd8
    3⤵
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,2993119168274336469,1422210790451353983,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,2993119168274336469,1422210790451353983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd52c13cb8,0x7ffd52c13cc8,0x7ffd52c13cd8
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,10455574781451766172,6354816136858101629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 /prefetch:3
    3⤵
    PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
696ffba7b83ecf008523e96918f200d9

SHA1
970d90e22c8b3674fc33cdd1913c51ef28514255

SHA256
dc6dacd725d7385b2e4db1f488d93f2840d2289efdaaf3737849304d1ab9ba34

SHA512
f8528683b70b58376f3eba3338fa6b462c9e9248c72524573005cff6397a0556bdcc2fdc2ebb020ba8218bc8174ba552002f223a245dfe3d3688826d24d63237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54caf18c2cda579e0dad6a9fc5179562

SHA1
357d25de14903392900d034e37f5918b522e17c9

SHA256
28d77529de92eb605d8afee0e133a7d08e13d4386e5e38d63e2da34623eaad6b

SHA512
88da5a33df9d82408afb8344ec7dbaf7686435fdb55eccfb85d5560f39861e84cef5d71949d5efe7a191778e6be755a8448f3fc3d7043007037f9f5227e10210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2a7c3e12a39c43c416107b3142cf2469

SHA1
26cfd318cea62ae3070fe8c79665e0a22a6ed814

SHA256
02b2c345813d98d00122cc5bc2097cfdad67c3670e1ef2e16ab94e06453d7825

SHA512
3a4ea78a22e66e3eb3adeec440de0a010c62e9c472beaf186d00701e5208bf636530e888a1dfbdc6ef647001ae32bf8278dc74d5be8d03fb5b62ce676345d4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ac71105ebd88b063f27613693751ef35

SHA1
2c7563c436dd797fe31368c5d86cb1c5a1536609

SHA256
f058ae2d6feb22de6ae18c8984133a5eccb596fae808834aeb47d2dcbfbaa62b

SHA512
93240c271306d21f40159323b8bb444a0f62c34721eb0e27a769f700d3e8dc1dcbb1d725a4a4cfb28a6dd49481886062126ecfb9aec8f8465ff4b670382244cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
194ad6189f787ddac39d4ca84e2a9e50

SHA1
19fb43ef9c84bd62291790ca92eb3e7b5345f3dc

SHA256
d3731faa007738d85483880da77471982b7817c0696414ed432f380453b88478

SHA512
8246f21a27a8271cdc766640d4e80d042400a263524aedb2b1d1298245d0479a37c4c14e3960ce33a187df29ddb78606efd63655c3c1bec7dd3420b2bdb35588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1250174550707d18cbdac08a67eda33d

SHA1
bffd8a19a74ff0b641c422fd7aa8f2026793c56d

SHA256
e2048f992988e797a29b9d4d7c7bc111afeb21d1f8ff64f05507137decad7127

SHA512
27555882c91474350e6e516e19d573b68c95dc28a09a9bf5d0b847530ea427655a920103b0d857695f68f6e4a6bcaa32ea255cef15241d7ce80554cb1304420c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
33cde43d446b4fca24c81badd5760e1d

SHA1
b2a57434e25dd551ca802f9d865c26b10d9c027e

SHA256
07f798a24f4f45d8ad1bd3aed717cd6e56094c3fd39c99b59e9dbf41b3d789b4

SHA512
4d7b00a2ae0cac7594604515efe9ea9b378e1e4bfb6043ec5ce020d0fc5226faa9f94c319e0fdea367a871ce85e97420c5161c97d1d625b793a8ac1b8f651528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
022b4de26be95ae1bc1afceaff4d0424

SHA1
ad7b13b241ed2558bc2705589683d8928d81bcab

SHA256
e6f67147c1cb5fce495ff48c3f9adb3641b6de6a8c6c1426602570b522485b45

SHA512
21386c01b1acba97621b1c02728b484d54d345a563e803ed10b56ceeef81027cbe7d38daf9871956dad01178d1ba4f66c8ef550e68a4991781b37d82f157aa42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f88dc5091ab511e3de0217daf5fd042c

SHA1
e245cbb5bfb277879518809d6cb9f707e3368706

SHA256
69d3841432fd07ddee2b80e5c3d693fadfb47453c431aa28b28cc01c82c86406

SHA512
a8caae76bd1c52439bf7e1c389b30187305f5ca98429bd290bec15d3840d286328e4627092680ef9c3ff993efaa694da4832fb860250f907ee04368c023b2a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
b0a9393e58dde80603c603042ff142aa

SHA1
4a8b86e71338982abdfbe6632a5b43eb467a5a5b

SHA256
e4819e1c03c6e2d243c92ace96efafbe16264620035bce5738bc8a880dff3473

SHA512
8eedfc21c2c4c6faea44463ab6c1dbfce36fb63f2da07ea1119ff3fb62302fca503860f28b856b026b83151688eabd64f33d5fbe7c5c03f2a5e0d40b9eb0eb71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
9b676d5fd6453daf0c1ecc2c5ee3793a

SHA1
152d72fa87d59f0aad984134fce8d718097da42b

SHA256
ea561368ccfa882d7b529eb528871756e46ea9ada3799128f9804f6bf0ffafa1

SHA512
7f2e3cd4d6f8f0af356ee67dcf79040dae6043f9ddbf235f4dc763c04eae2ae123f7eba9803e963609f8d2505a7c2fb4bda0b685c4fca5bf05bd09241bff40a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
03eadf4199b124be8cb4b013ee42fa82

SHA1
6cc9b44b75b14c92e5a495e43ece96eb2060fa58

SHA256
63107928d721135dbcf8f4eb79ffeb9db177b8a433ff2bb0d300d2d33f85e3f1

SHA512
b0807f6658f16a6412025a62a673eb958c0821c3609690baf9bb14312fa1948cfbbba8c0185fc3ed1788199c8ae8e50cf04fe12cba5df996fd5c88dbcf2d5bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5799fe.TMP

Filesize
539B

MD5
99839e6998fa5779e2ee4231b2ea14be

SHA1
11298c550fc7fe8a30c82ca667372320a2b6cbc2

SHA256
58dbef924695294144e350daf4ab57ccbe6634f477ba4e3fbb12fad48aaf85f8

SHA512
de6255ae33e99f3d4db76cff3ad8158d0d9a93a7a927f31f2741e7cf7bd147217812a8d2170facb0d5939e23198aeebefa4e4fb1a3482f14d049ab95279db86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
844a92d1a144d28b0536cb2a8e2cb290

SHA1
017b35b2ce3c2e3187b937c920128f22528eb3dd

SHA256
32ffea72000bc57702653a20291052a358ffb66d0e491548f6b4c4fcc76b1612

SHA512
8cf4312e315d8013a810670d53f4ea3b9cfbf715852f55bcb9d7109af325653376b7592da0e2d3fe7175704d7399ea863a4db45766651deeb70d5518c87172c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab83e537bfad3087f0027bde1f9df141

SHA1
ce8e893bdec9166fe85d239e0c2cce979da94c80

SHA256
0484feaad57044446f2d768633bd805edf5ff409c8692b8abc09d07a2c116b69

SHA512
e73dde1178cae48dfddc13541d98179f8a1bf3f54326169c52f759ed939cba60ebed5e8449b2c8624608ff184c3342246729b1e2a6990ac7f7962d8c5ff45cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
316ad7da90961b320dd2b24144002387

SHA1
f650920aa35a4c7f436382a7ecf5cd63ba76e6e6

SHA256
bf97d9618fb370148b29e9c3e0e5c14210ae1c15d881936ea56f908b149886d8

SHA512
00f35d16ab4acf999449723881e42497b92b66a3f5d330351ec806e82f78c7ad5baa150d5e448b4790a73bbb33048680a236bb601717beea4023d9e5da7dfe5c

Download Submit