c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24/04/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
Size

896KB
MD5

efc2aa0395a8c08a42ca848d51038565
SHA1

1df17096fa263cd4d8493ef88e9c464b6ffc10af
SHA256

c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7
SHA512

28fcc217f9f3652b85a4cd36985528565b46ea7bfe1e48f10d89334fe66dd60cd16410b2b9a7eee9a4c2d16309a4a5301e03382aab4035c29f2ebeeab966116c
SSDEEP

12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaITcS:GqDEvCTbMWu7rQYlBQcBiT6rprG8aQ/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
2800	msedge.exe
2800	msedge.exe
4300	msedge.exe
4300	msedge.exe
4604	msedge.exe
4604	msedge.exe
912	msedge.exe
912	msedge.exe
2532	identity_helper.exe
2532	identity_helper.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3456	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	80
PID 4916 wrote to memory of 3456	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	80
PID 3456 wrote to memory of 3644	3456	msedge.exe	83
PID 3456 wrote to memory of 3644	3456	msedge.exe	83
PID 4916 wrote to memory of 2800	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	84
PID 4916 wrote to memory of 2800	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	84
PID 2800 wrote to memory of 4924	2800	msedge.exe	85
PID 2800 wrote to memory of 4924	2800	msedge.exe	85
PID 4916 wrote to memory of 5024	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	86
PID 4916 wrote to memory of 5024	4916	c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe	86
PID 5024 wrote to memory of 2908	5024	msedge.exe	87
PID 5024 wrote to memory of 2908	5024	msedge.exe	87
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 1652	2800	msedge.exe	88
PID 2800 wrote to memory of 4060	2800	msedge.exe	89
PID 2800 wrote to memory of 4060	2800	msedge.exe	89
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90
PID 2800 wrote to memory of 4876	2800	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe
"C:\Users\Admin\AppData\Local\Temp\c6ea4e538129c622241b0ba7dec0b9cce17f1bbec2ba12a3cb83df182dff54e7.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc57173cb8,0x7ffc57173cc8,0x7ffc57173cd8
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13892147881920134004,2324238755724727374,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
    3⤵
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13892147881920134004,2324238755724727374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc57173cb8,0x7ffc57173cc8,0x7ffc57173cd8
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:4876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
    3⤵
    PID:2696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
    3⤵
    PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
    3⤵
    PID:3500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17096869254741888893,494935452356793611,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5516 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc57173cb8,0x7ffc57173cc8,0x7ffc57173cd8
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,10131228324795931234,14896890582268864449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5e869975d65ad786022d6fc8b47b747

SHA1
14b030f53bc86bdbec766b2f3942804ca742043a

SHA256
d5f8f63c67fd06a2ae7da80cbe8cc96bab5932087eb70432df9147ba818d758f

SHA512
fd8d2b8ce13f4aca312f4856096edba99310a78a5f4c4148046a06e873a3d2514fd2dd9b4515fc89e83306d251929f2ef9c78863f85a3e017a3029dec63d98dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae7fbf62fc07f0bdb15169d2de3dc768

SHA1
9155eb973df31a7d6fb95f03058dd523171b4f0f

SHA256
ecfebc84b01ed9071cc68bc2abc4eae4f891e1dea41a16ea6010f7acfd6cc624

SHA512
1539bd6c522e56685399616d9811435ff0197c9471404361c53370a261feb180a38aaec9aacd38ff52c94b2cac2e4da19a3de50a9b6541f6f3fd0497bf15bcae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
17ff23cdfa55000f6b5e574ddbe4146a

SHA1
30bdcdbe8da5038de8f78f98b91bb359d0162fe7

SHA256
7f95ca40ffa9c936f3b3e8f26cac64c55dbd32c2291f411c89065d4481fcd978

SHA512
9561a4fa897c274384de944be2bb3d001687691931fad73ea9b45d54c6409033508211dbbee5ce6f73e975aa9bb7763ec980d6a3f97fdf37e798e2f3a13db492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d475ec88641c83fab8d75ae1bdfdeefa

SHA1
5654ffd7f956d211b0fc0e93b65d077881607201

SHA256
21eb745d9124aee92c5f0e2eefa6073b91c998de72436292dc9306040dedb324

SHA512
055f233a6ddb1ddf899dd3687f2483edc7a33c71c3673e137397bd6a801445fc820a18103ea1f9042ec475c240126e67917fa27c0a7238e1577262ed7e7afc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1727edbc1299178e4ac08969db967477

SHA1
21e3ae163aa30deee290b202344873bfff018607

SHA256
b85120bf4fa4ec0601ef82ccf2326a9c2a36341e892e61b2793ae5050dc51b0a

SHA512
7aec949ab51a566eef7e05e461b4c031b6066f30629f2e21663cf974e4b9b5aebefa6f87597b4b2399c0f49710fdb1b7347137bc8fae16460961488f8a067fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e571732663e035c3d6ceca050b4ae10d

SHA1
5c814e5a1cd05cd3026070761e4a58ad0dbdc05b

SHA256
0e730fd0051ed9aa9f829c1919d842f88b39365b27620ec812bcb5a35dd88f53

SHA512
c7bb86d098095a8c5d12d9545e368fc5564d28d479f9dc6846da24271ebcaa16254a34cebfa6605b90d8f7d62c9c8828cbad68d8b53fe3a0e86f4b8d612bd2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
254a2fef1501daaec70c3ef8c0d8ab3d

SHA1
af59b2f58bce20b8f48255182f84168b6fc7419b

SHA256
4c793a4b58b4e64ba000a4c923c91752c5fecd0e41b70c9d9741683346c10461

SHA512
614fb6805bf4c108611ebb46701eb27ebc121276af92f6ec0c69ba98229bbd8c7cf2e16734af944a900c2487493ee299e184208b545dd3023b20aba2cc9ca806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
aa8a6f5d3e09262ae8159142165b6824

SHA1
6dcedfbff7aa07ebcf6bd2dcf30dac92063e8082

SHA256
76d4b12d3cbd7b6a40baeb24faf05d202150b901a0e26dc33c7bcb0882045a04

SHA512
87ba0070744fc6d6f5a4c26781ee3ef6f83e3efd1700ea8ff26aa00ea88e839fe2631e161a637fd4c360a71b800d863d8a7635e5eea82c43a02394031906be51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
0b6470981e8ddef50b20e0841862dc6c

SHA1
a273f9f449056a511d3900cdfdb64385d400e7cd

SHA256
ab1c6a566ba88dd5b4e7fdac0de54f3dc5e70faba85d08de157ac0e593b6efc1

SHA512
3af1cfbdb116a040b8906ff82d77f36ab01d0a35f116ba5cf19742f4fbaa8bd82548d2c05ef10982b254a2bd8037eec04d87f9cc56b04f2054cc1772abfd24c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
bdf053cf93644c9df1ee0706c39fc85a

SHA1
1adb2f61a8f111f8831e32bb4fbbbaee0ea927c0

SHA256
ceac6f7b46588b8b977010131f3f064c6d8f24fbbf9db312d261c7892a70e314

SHA512
d8d12e9f2b816c724b4cee0eec3e267466341d61c8e837104addc5c44395f63e0651b4a012a8795d916066c2e6efdcc996369f014414bc252736c82c8fbffe6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
a073cc88bf48a86dfd02f03085392a63

SHA1
2ba1efe9f516ea600f8880fe217396851a0d1fc4

SHA256
cc3fb3557923320206dcb1457a2b9c5b1a831289f4c2462ec7cb8330b2f12ac3

SHA512
ca544da3df5650f1dd6121b2f5643a4a07345a73e8142248b852411cfe5ad167532fece84c5a7e5c6844cc90eff8f9d2d61f99fbf138a58229240f16e1ba3180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
74dd82830ceb4ae3afe2b50df15025a9

SHA1
53bf490a9733633a6093b0bd838af406fa3f04b2

SHA256
42fd157d99cc439d388a89796a5d3f267f4d48921904dec6dd7d1d0a1f00d231

SHA512
df3a55a216207f2fb5dac2ada1b6cfd40ddb61b15559c939851223986814a01a2753140c387e624991f473e2e28b1f2f0e703afdb2e89852f5390b3824928e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ade3.TMP

Filesize
533B

MD5
6891382a214b4536d022e7dc83a9e641

SHA1
df73e539c0f83cc96cfe6351f2586e5a194d7704

SHA256
f4dd6e710109bba36926f0ff7f8e75214753a6d2e5fb382ab4f566ae5e82d95c

SHA512
b60e5b346b9a655836f3955268d92e76a7481addb83be382bfb0512d1bd4aaebfc950211089f13e42cde0e2e20257e77b8db3bbbd1e6160d7ad8ee31bdbefcf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
964a1374d5d8e15f428690130abf9afe

SHA1
5feea453038216713b20dccff7b1da1a02b6467e

SHA256
8976021837a475ab381acad8f2a23acc64c59968682af92af7c96d57a1914a61

SHA512
9802c0561bb63496e79214eb602e11934e5df32efab748cb8110930cd64922b9ab2d1f0326087b81d831a4058699d11e5d6586e42602f8ca4d54a0467caa76c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f09ba53927a96d0e2d10b25ee966249f

SHA1
91e273fc9afeaf7a7143bbd95d195eb5dea7a224

SHA256
d33422e7d33f53b85c90a1df792aa27f244ca9e1dd6eb0b2162619aeca733f6e

SHA512
1d21f8bef4ebd9d6548fa5b531156a38c6b8fd0c5ac8dba58d1a018c2218f084d91fd11066e024677f0d4fec52ab17bec6e378d735e8334eb3f7b75820d19890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03f74c72d925d6ef69969cbb19491bcd

SHA1
e814f29064898267bbcfc1f31d4d7be2d251d866

SHA256
0a47fddbae25a96945233d40ce03568fb216fffe73d2171f91c83432ff098fb8

SHA512
ba1ae76b7e2a352925fb63cffb091cd285866e5ed03993b002ab905b8f62405ae0c77b50c79b6e35d951964dfcae21cb78933ac06bcb9821a0059d1989a30b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b5ad66e63f0cbd6622447edb1500aba

SHA1
a1a0d65118e5ff16af360a94c96561fd70e29789

SHA256
3e52867628d46ac6dc4bc69a96464bf64a92f4df56afaeef9a5894b6031413fb

SHA512
cfda5690c9976c9dd01a45d75d2c8f9f5ade71b22bd571100520580ab974c8175df4923e35b62b80bc2a1554d334e0ddfbb4f7c55bd939654564f09cf577b662

Download Submit