354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7

Analysis

max time kernel
145s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
Size

897KB
MD5

5e759f36692e7bdb449765931d4f5894
SHA1

eede718d59306f5c971a5c4d1a21bf2ede2e4f47
SHA256

354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7
SHA512

eb0e63b7df6512837fd13bf8f94697af29fdec4a9dccb06aca5e995f405a532a45bc47a4230b7c1b00c4e816f97e548b94d157151ab8f226093964b6419dd3fb
SSDEEP

12288:eqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaATz:eqDEvCTbMWu7rQYlBQcBiT6rprG8aYz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1504	msedge.exe
1504	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5108	msedge.exe
5108	msedge.exe
3648	msedge.exe
3648	msedge.exe
1840	identity_helper.exe
1840	identity_helper.exe
944	msedge.exe
944	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 900	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	80
PID 4628 wrote to memory of 900	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	80
PID 900 wrote to memory of 2996	900	msedge.exe	83
PID 900 wrote to memory of 2996	900	msedge.exe	83
PID 4628 wrote to memory of 5096	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	84
PID 4628 wrote to memory of 5096	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	84
PID 5096 wrote to memory of 3580	5096	msedge.exe	85
PID 5096 wrote to memory of 3580	5096	msedge.exe	85
PID 4628 wrote to memory of 4480	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	86
PID 4628 wrote to memory of 4480	4628	354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe	86
PID 4480 wrote to memory of 2760	4480	msedge.exe	87
PID 4480 wrote to memory of 2760	4480	msedge.exe	87
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 4852	5096	msedge.exe	88
PID 5096 wrote to memory of 1504	5096	msedge.exe	89
PID 5096 wrote to memory of 1504	5096	msedge.exe	89
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90
PID 5096 wrote to memory of 4280	5096	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe
"C:\Users\Admin\AppData\Local\Temp\354a9713aa0cc8c440f72a09265e8df8190f139568660757f9ddc02e17597dc7.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6d7c3cb8,0x7fff6d7c3cc8,0x7fff6d7c3cd8
    3⤵
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,15466810684461133477,4207663730021728295,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,15466810684461133477,4207663730021728295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6d7c3cb8,0x7fff6d7c3cc8,0x7fff6d7c3cd8
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:3996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,8940614298807721995,9374154345694844031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6560 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7fff6d7c3cb8,0x7fff6d7c3cc8,0x7fff6d7c3cd8
    3⤵
    PID:2760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,17984666144088473142,13136750122549795004,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,17984666144088473142,13136750122549795004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2160e9f02e87c9b61a813e0a44524f37

SHA1
3290a0fbafa05a4769c1051de7cc228cabcabe1e

SHA256
c9ccd7cf3538f5c24e09cd32cd0b494567c229b98aa3344b01914e77cf67cfe3

SHA512
925a25fdaf22471b093d3a9731b4c6f58bd631a1c15941bc6e6adfe4eacd97a9de59bc5b305508c57c0aeb7b534ac3fe06b4d045fd07c16c0d1d4dd48933c750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3e382212eed935b8cc8aa82867d2d79c

SHA1
5e0ff42eacf871168d91dde1b1530e7a27f45d62

SHA256
5ff7f63d1bcb3ad800f74eb1e5a75237a71f8151de349a51e679721957c5acaf

SHA512
9e6ee24947d33c4e659f3d7a5fbbcbed97d3ff4be93bdfb713af0734e0f7be89c1a111dd54ab72b923a1f3aa50d48b93e1a1a6b25c59915eaccf8594b6909647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
930dedb1dbc6d1cf850216859fb814ac

SHA1
32fc9846899fa6a7e23f6af23a929d12f47cec87

SHA256
4c3864a414eb02a29a6df652996b91e21916a11e7364730298b940b01046db1e

SHA512
1985e401e51fd5bd950c7d3ceb8eb3eca05bff12ef3c135565e87f796d984124047eca71cb2bb4f8c995cda16ff28f0ae279c82b1925535f28722fec3e4c6926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
27666326f202b71ed5a9440cab2dfa55

SHA1
25d69b16a1e50744dcd18b3d336166c8afe67839

SHA256
18dfe820b4b318901849e4a419b9098a6deda9a5b7fb1feb7fbee3906501af21

SHA512
1ef68b55756814fbb02c630f5a5ac01e52c078522f01cbf64898e653856e82db47aadba12da5a8bd8a1c30bc1909713c23e533d3b1310a575d2b40c1eabdcd4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e71a5adf8a37630538b59aa6cdc00430

SHA1
e28ce9a4093d5371e10f87993a978899f0fe8078

SHA256
db0ca0e31986f10fc44ea7488ab37e183d7c9dbe037236938e3bcfbf223d18f1

SHA512
9800e3ddb283f4ad6db0c20a4a42c3a82956ef959c5b543a6e0f9e6065075915182889685acc7dc7974c80b711fe04b6c822be5206617eba7cca8ecd500a974d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
b942ddf9b990dfc73e912503595e3795

SHA1
7afff5e25e4b51b147503e5bc87f1beaa2c1fe2f

SHA256
b415e9de90d69ea1604b5d9225a056ee942a17428ed682f88782d7abbf6149e3

SHA512
f501aad65dbac9ad29fc8ee4e331d2ef290ee927d454214c86b3fd8fa32ba4a6cbb788929ec8affbf847b71effd3d7cf76f9ff29d8dafca2c8d43504348d5745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
627127c781260eefa359d1d08811ac5e

SHA1
c142afcc87ea873509882659c9b8bf0766a6f372

SHA256
a86fb73989598873311bef583dca9a204573d526ca43e0a128ddbf5ba5c20763

SHA512
699cf864e115b48e7a30c28567412f1205b0882511531a9f8846cab7343878be70edf00e7c0d6b9cee08562bc1d13d707ce946b7f419fc4e158d2c663c164876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
0f1ac15027474b31dbca936ddb5be718

SHA1
859888ea6e83554a6cca1e208bc69ed31f59195c

SHA256
b0b83b458be2b212f31d2ded2d0f407d7a18c1b772de2851b1dea512587fcb4c

SHA512
e5ad5fea9d1faa0dc551e74c9abce63e8c4ba04cd0c816170feada338b657f718d3f47c8adf2ebf7fbe36d087e0929d0d584ec42ec835408b25d1948e19a0938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
3cbcd34e4503819c6450cae0ad0a9a96

SHA1
ec99f0f546cf07081c8164ca5a0ae5b85e488f20

SHA256
cbd51a979dcf816c650ee9621d53071d1859bbe41a0ef06f3579067cb8878d26

SHA512
e6cd1e791815c34e7f12e3e539ed740424376c8fc3c1e20dfcc99d63b8de20b745ab2eebf1d6c1a37a8cb437b0f7d95f33a8a0438c405ad18c3b7917e89714eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c534.TMP

Filesize
539B

MD5
df966f65e8dd98fc8cae77ddc52630cf

SHA1
1eda9e652d702a60516561f965979ca70c806135

SHA256
55826429fbbc043b6d84ec0782541c113f07a7f47affa3bac06cec47a34d26ee

SHA512
de83b397851630e201e27bd0e522c7958ca5e056a55f80c12dadf49fe4f6f0aa10c5b8a4c8d9dc3d1010f7f62c6c38684b96a50d0606c44d9bc537f302b8fd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cfb8050be3863f7636743f365412931b

SHA1
f48de8bdda3173e5e944a856e733015ffde3d4df

SHA256
281e01d2008c9d83fb2ba2c22b19e5b7e627bc30286f0cd102fad802834f6179

SHA512
b1cad236a6c0d47f0964bde4109412b86a7ba0e3734617b3fae3b83cc03f308b211b96992f84dedc339e3d752165ec8cd8f8967ddaa873a4ab13f52c0005b23c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e1218fdae1808553c4993b435c55b5a3

SHA1
9b5f1f148550bba0719ea491d806cb5eafb7835e

SHA256
189923d83edde8aa69b8040dc5debb81b943462bd9fcb19158e191c80d9a7d01

SHA512
caab41c9442467adec24f96446697073d6f9ab5739087f612700364a8ab3166160011da037edadf23919c369ad1c82bab5e935244eddc795389a1c1157b38794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c0076d37e9c41a341123cb937da51f5

SHA1
b985f0c7314c971fbb01aa9af3f541258548352a

SHA256
63bb7488c7996eb2459d9bfd40836f61ae2ad7c82203b6ce5035472a12cd1298

SHA512
f074e93d9534d61913e81cf350cea176e9a74574d964129bd5c499e71240682ee2b04a254e801b77d67325644687ed97e90dc8574cc22906a58e99220cc363c4

Download Submit