1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
Size

896KB
MD5

30d2195b24191b483c4ad284d2966a09
SHA1

9548a62139fd76d96efa7bf3cc8124392a4b0162
SHA256

1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719
SHA512

c8131a27ca5941952e6d25e3bea66ab35c34b90e27acb0e58d32fadfb5e8de11930bb2d12c7d280be0742432a30ce0ee2030ac17892bb1fb77cff1cceeeef5d1
SSDEEP

12288:TqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgamTv:TqDEvCTbMWu7rQYlBQcBiT6rprG8a+v

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
4176	msedge.exe
4176	msedge.exe
4904	msedge.exe
4904	msedge.exe
2896	msedge.exe
2896	msedge.exe
1480	msedge.exe
1480	msedge.exe
2064	identity_helper.exe
2064	identity_helper.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4176	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	80
PID 4600 wrote to memory of 4176	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	80
PID 4176 wrote to memory of 900	4176	msedge.exe	83
PID 4176 wrote to memory of 900	4176	msedge.exe	83
PID 4600 wrote to memory of 1336	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	84
PID 4600 wrote to memory of 1336	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	84
PID 1336 wrote to memory of 4348	1336	msedge.exe	85
PID 1336 wrote to memory of 4348	1336	msedge.exe	85
PID 4600 wrote to memory of 2156	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	86
PID 4600 wrote to memory of 2156	4600	1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe	86
PID 2156 wrote to memory of 2092	2156	msedge.exe	87
PID 2156 wrote to memory of 2092	2156	msedge.exe	87
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 2784	4176	msedge.exe	88
PID 4176 wrote to memory of 1196	4176	msedge.exe	89
PID 4176 wrote to memory of 1196	4176	msedge.exe	89
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90
PID 4176 wrote to memory of 3236	4176	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe
"C:\Users\Admin\AppData\Local\Temp\1316610a95c06d5cd0929df4a499314e7be9219373bccdf0f3b993e813a3a719.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa87a3cb8,0x7fffa87a3cc8,0x7fffa87a3cd8
    3⤵
    PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
    3⤵
    PID:2784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13597367876800131491,15083429737617596265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5504 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa87a3cb8,0x7fffa87a3cc8,0x7fffa87a3cd8
    3⤵
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,352883765312355272,843282722971336798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa87a3cb8,0x7fffa87a3cc8,0x7fffa87a3cd8
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,10464193054745534670,11431203219483708615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5acad5e385e5641965d46340aba35216

SHA1
7607829cdee326d2a67e98d23b36ba37896fad40

SHA256
aefe0489fdcdf9baf6cae16e03b197efd9e4a9ada6063a0eaa7b6ffb2812a121

SHA512
9f84de186b98cbe1bc90b9742aa81d54c0fee92f608ffa2e844b08dfc2e758a691cd81f468c37b0e8a54d629942bfaa73393cde00c99673b5d5ae1f3642b3c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f6221fd13d829135235b98c9d9546c92

SHA1
65b48d72dc563971e8cf71cd836eb9db7b87c778

SHA256
6f82fc835c12cc7bfca3fdd3c7b2f27c7f57612c25764b67a5456beefb42b237

SHA512
9a4203c426f981d3e3d59c5880609ba7b91afbd57ed8245dd96fe2f4cda4fa42a3f5a03abe271d2df43212cb4995a9d5af83c1fc2266dbbcebabc306f7831155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
406f9de81e965edaa67e4b7d29f44e9d

SHA1
d05a47ce6887a3ce0dc6b15946e4322e2b67e107

SHA256
4ef992b60768c68da362ebde2b86ec9912808111e9a46ab41c57130e09b92246

SHA512
eaa2763e69ec2453f45950e6336360e4296d11078c1a03ab0d0211c337601a968f2da6ed5d64f6dfe97dd66eaa8c26fab8cd477150043f252b77e04043166f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15db5300a27e71e5ccd7e1fdd95229fb

SHA1
f97405b16b1b2f6e57ded09c52c6668f38c1183b

SHA256
db894669dced7709d0a654b064f903d2de7382bb1d5f21a17925f98f828db8b7

SHA512
79e5d0ba4f787d586c6c92e687c50811b8f046227aac299b57c10c86a2088bae9e05c42cc318fd164167d0cc86a6b2e816888b54aa12289955ef50fe550f93a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc8e0972d6f008734b74c7adee7b55d8

SHA1
b3c9fdf551aa670ae57abcb8096cb407e303c645

SHA256
6dada072c6ea05fd2f053cf4b5eae8a8522bc4b6c703c9f82b9c11837c0157cb

SHA512
a95b444934d0f249c7b870724cae7646fafeac86ee49abf58331b651482b27f45b18a0d06384ca49142061f444a74c55bd08993ff64863ff34c75882369db172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
947ce3c3d410a74bae17f1796d95ce64

SHA1
aa185b3a6fb7ecac8a5d9a01d589d8528165bc78

SHA256
5e365f32bcf3f0e0fa4df78482090868c2db6b1d249aa00b745164a1ae9a07cf

SHA512
f173648929b39e2312392c1964765dceabe57b863d5214d1722753751722e22c5bbaafebcb5996df1642464852dfee3b46332d65a4c6c40fd13fa86d26308ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
51dc56bdf776849569e9df71c7d24e24

SHA1
e87ee927e91e398384e1f831cee1ad46a62131a0

SHA256
f2dc828262f94077d846cfa034c7a64bac41de9916a77b984cedca952397380e

SHA512
22398a8f268c6a1865d6a72ab39c3e4d044ca7afe5be296810f247326b0afe1548282debcfb0d296b0e2182909d12661c131012b5550f9607c0bdd7c5215fd80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
e3444c0f827621208660a11236ea2c1e

SHA1
e643388f39e0bd8328f617ad8ed0974ac7fd5227

SHA256
23a500a3597f7c42265f77926e249a17180ee74622e507cdcccccd2d6ddf6774

SHA512
193c41d906237c59946d2efe4531dd72c614a073752e68389da7f5c4ad8474f1c5dbff13708a1baa050b5e6451f5a54c65e095817ba696a6c11f1bb03bfa0911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
53d7515e419d392f099518e213cb6e77

SHA1
4e8816f130964141486b2197344538fc4014c6a9

SHA256
88cfc3cc7cd22b58d03a1a758c2d0f8c798b81ffe87b813cea626548cda3ad69

SHA512
9700a0316956603dee9937cbb6f91cf6d8c3293e2136b1f977a37f130ae2490de838e9792464b73ff52000730294bfa84d26aa8961743fbc347e9294d51cab35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579e34.TMP

Filesize
539B

MD5
e6965397742da304c032858a769f4628

SHA1
249ce3d081dfc0e14a62e0bc87e44212131b2005

SHA256
e8f54577b2007fcbfb40fd193762e35c99356a76042a3225fa9e7592df99efbe

SHA512
ed16258aaadc8007385954a77f62cf1a92b029d58602683321837b4daaa259287703c4b77d46ff3cdcc2ca633a7989287e5920fce99ed920a2f7857b619248a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0c2d08460848c18942a0cd0db127ba0c

SHA1
e3cbbafaffc63f67f01e1ebc5b37a3edfb77b833

SHA256
b544513ceabf215678963d5cf06d09f54ab548ea6694aee65bc84f8af6b1a1e6

SHA512
2446f0092f810f03d236fbc384ff02d529d83945105ccd40e7a3e44bc8923d80e7d0d70f5e2d604c0a4d47e64610df321fdb59812f8084a213dc6257f8afaff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a2146897040fc4a7188a41cc86f1a242

SHA1
c9ace9374edbd57c7af5f7c3c29bdef027d5d0d7

SHA256
e9a00d2bee50afda2eb69f3934159dc91675df835b63fa23359d428716059530

SHA512
d1838a57a18c311a276dfabd00b04960f4a61b033a949062034b8e1cbc36e073979d45ed106c150a8e3b9b609c349fbe77bcbfae81ae27efe200fac5629e72bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd0ce60dfc2f96caee6efb15c8783028

SHA1
2cfd3e9b6f7f73e9eb1966177957aedb1c1fc75a

SHA256
7edfa036b2a303709b55ebe23035ccdeb002915910959ccf079d5db84be50bbd

SHA512
856fc1e1f20e1a09159a4857cf3e456b08f7128fa1c38e82d64291a4e898ff9712b0a4b72a118f34c48206e884edf6f906b9275d1ba2c8d20a86398c6fc1c7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aef53aa5a4cbc6fa289ef7c7971fd4cf

SHA1
8247ebe8c0c4b3cbfbe72998473f68d7141fece8

SHA256
af202bf2a6b74f2d91fb7febad18fb666febebff0ad5269f7d09be39f915c938

SHA512
268bb918c1d89ede2bad2e3b08f84e86a71f405f1efcca5d68b14f8a7b8fc98cd1f5e15015b602afbac85cd4b35c39b02dd82c43893de679a0861d47b23a5469

Download Submit