b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
Size

896KB
MD5

033e2032fb7c7dbcdc68f8f250b180fb
SHA1

61d378f3c81fa0238b80f6b4538e84822fb3b2e2
SHA256

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628
SHA512

bc9e1ea85ef9276b85710efa6f9a808fb69008714a73d9905e4b7c33de71d383411d71dd177bebf7f4b0dd232b4c7d55d9b209264b5201ea0cc59711ed8ab936
SSDEEP

12288:0qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaXT4:0qDEvCTbMWu7rQYlBQcBiT6rprG8aD4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2916	msedge.exe
2916	msedge.exe
3084	msedge.exe
3084	msedge.exe
3052	msedge.exe
3052	msedge.exe
4988	msedge.exe
4988	msedge.exe
1932	identity_helper.exe
1932	identity_helper.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exe

pid	process
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exe

pid	process
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1396 wrote to memory of 3052	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 1396 wrote to memory of 3052	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 3052 wrote to memory of 3528	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3528	3052	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4856	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 1396 wrote to memory of 4856	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 4856 wrote to memory of 456	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 456	4856	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4280	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 1396 wrote to memory of 4280	1396	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 4280 wrote to memory of 1556	4280	msedge.exe	msedge.exe
PID 4280 wrote to memory of 1556	4280	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4536	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2916	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2916	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2248	3052	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
"C:\Users\Admin\AppData\Local\Temp\b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6f2a46f8,0x7ffd6f2a4708,0x7ffd6f2a4718
3⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
3⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
3⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
3⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
3⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
3⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
3⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
3⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
3⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
3⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
3⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
3⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3671556707061645742,3989175858697698994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6f2a46f8,0x7ffd6f2a4708,0x7ffd6f2a4718
3⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5845673238156380567,6898369110599261573,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5845673238156380567,6898369110599261573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd6f2a46f8,0x7ffd6f2a4708,0x7ffd6f2a4718
3⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10195627307396986281,341839457952984475,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10195627307396986281,341839457952984475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1e1d9565-8104-46ca-8522-a3583c4dae4e.tmp
Filesize
539B

MD5
1335bd7b81cd4aa2c3aea80d52b67388

SHA1
2e8b7f24a78ecdd5fe23c7f1278eaf2ae24798e3

SHA256
5be626e23b610689a7bff18e01c6ae3fc325de9efe78c7bca0b2f8709aa8bbd1

SHA512
1124660cf707a6753de51d3ad8bdfb9e3798fb1d1b94d5f414683b3ff2ef6945ebbbb27521dad43ee25ae01d11bb19117336e976a94e49d135d75a769695dda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f50265b9455812270aa92383e60811d2

SHA1
f1350c50e9190fb576f923c879a40997dd301a72

SHA256
19753d80022e9220e59adba2d2f6b6fa44827cbb067d991dabe1546127db11d9

SHA512
ef0e92b813679fbd4e01f24d419d04ed6c788e0fed110fd6bb9af8c3f096a26c92164bb7b0df702dfd3fff93a3431e19bad6e50e847e25e471ed041d8f9faf80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
8a107b868bc9938db1ff3d0963d668a6

SHA1
1860eea14fa0cde40090000574cc7d56fcfc0b7f

SHA256
ab84a622b358f2d7d7b47c41cc88a02c9ce3f61fdf056445ac485161ac951cf0

SHA512
cb374430ae1e186a34a6aab8c96f521c9e6f0f948f3dc7ae47f47c334ca7c54765109a44e6e23568754ba40e8b0542d3c80906494f8eb6c25a341a3359f685a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ccbaaf49f62050ed38206f0acae3bb5a

SHA1
18246963cc381fe245a538f4d88dc32026292d14

SHA256
27508e370855ea299008b84dd54f035ac8395960dbc369b28f43e947db4b116d

SHA512
17a2e693fabb12da72d67b70ab356d0a94f354fbe59713fcd624c050a706d631cf6e5f645fb9545c9d9d2d246890378abf96836255aedfd82f92eeb41fa1642e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
da9aa432609c694d0b08ba5f6416b7b3

SHA1
8ab1af8e1103a8365b3aa14021c05fa5685e4cbc

SHA256
b0d5b8f9a37e238a3dfa02571275bd3b2766534352225967bbfadddcb0b4fe62

SHA512
4b3c567a8f7a3f9cfbb6ed915e813743d7008e9b7c4f126b8a6518651aba2b2fe9f1991142edca9bdce8618ec32b3a07d16f1c9564ac0d5ff658267c7f820b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
881377ae4dcdfae5afcb3c0e9da7f42e

SHA1
1c9b433e1142f94a895d8169641187b601290db1

SHA256
f71491a0629093868b6b97ed7acfdb0a5099437e79db06394146e6120f36afa4

SHA512
f59a82ed44f470ab40dfee1e7bdbe3a6fe6a171e737c43f2c2bba06a0bdb20a6ad887cf342e52995b2c441ce35a81030a650ce0f0aa8d2521753afd3f5c5ce31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
e83725c96f1bb1116e766239fd139cfa

SHA1
87df1a6877fcad8f02556cea01567844b1f0c076

SHA256
bc4cac8c3811091e0c6a7341e3798131bd096d32a5e359a144098cb5fc39e1b9

SHA512
5d69ca68f2356f21257fcfda3ad9593ef5b5250e399659a0fb32ecc66f8cc4bb4696b7eac58b2202033a95e4ad57cb3466e683f87750edb0c621ff4db2b96e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
6ad236f8709ca7d2475af0bdde6d7a0f

SHA1
0fa27c83991c42a18dbc1ae851b9bc2acc8251d1

SHA256
293a2288df1cfe1225751bc34a2e44e19d065833af27e73d8f203469ce5dcd7a

SHA512
7be807567a9ee27f0dda539bb9e4eea445d9e9eb0e4e7ca76c5aa660e47f320337ff2c8ed16ac4499d86228e3e11ddab29e7451644029a352d3b925574a978fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
6ad799d0d475874c80ed191da8d4d4af

SHA1
e86d23ed88aa8de5d00a83036c0ab1b7949c0981

SHA256
d53374e2af139f64e4b73f05b94e02d57e28bc6f571b2dc31e6c7bf97d49b7f2

SHA512
ec869aa4ff502fe106faaa196023391da713abb5481610a8b8dcfff5100f7c446ede3e1dc7075dde4f146642b86374d7dfe705e3c8997c488342279a6141df1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
6c969973e7229c7511b729ad6e941fd1

SHA1
9df57aecd76594033cb537343c6e0505b707745b

SHA256
67af0dec5b8c15784d2805b4cfed7e0fbe13bfc1b05a7bdc825e4204b49a9aff

SHA512
f4e897b209ac02500dc9d14f3b942ea556c8d0b82894b7389ce8b3ed4b6a65b230f92bcd62abf1c7c211c19f1954d57347824dae57aeec530598ec0fef653367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a9bd.TMP
Filesize
539B

MD5
5eeedb5d41b3df140a5a3facad1623e1

SHA1
73b01db93bd923891af0b688cb1cd90f293a69f0

SHA256
7e380e47b0c9e3cc937d37a8184ee5b9e2ae745493ef3e4f8d62fc8c4972d6c2

SHA512
6dbaef6a3cd7fce5beb077b6535cfb8ca4924db1cd1de4b3161fcd99555f3106bcae4570cfb616741f472450116ecd4062490a0f9ae9a2f0bf0c801c5348f638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
dfb9421345d1a19d9bf3bb4277e5d5b6

SHA1
0b82d75fc9f89bbc70cdb21d0cee9eee43651560

SHA256
adaec0f69eaa16c6e6caebb9db085a670e8bbbcef3d4f02b1f46c050f9fde9e7

SHA512
e2597fd1f6cbb7ebc03dcd93d1f88def626e07c1f0c0eaccbfd24f7d342fc6bd9d8542e61013b4bb557b95e262d39ffff104e1fadc7adf053c2cffd124f23b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c57b58d2bb44b23e65c0d6301f6fb527

SHA1
a9fcd05a6baf96b9586e908823f0a180af8938c9

SHA256
68f3ee2e48d24802baaba821b6b20ba7cbc81c54e5dbcefb9ac81fe617e6a609

SHA512
af49be792c557720d78e77439d6312e38aed69b0c9f349608dc7d32e8d6681c15904e4a42fdc585cacf0ec69590682468f0c449f2e67a4dd3a1c39ad6cdb0df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9a08fc1ac9c2f56dcf5a0d38deceae39

SHA1
53bab3ccc3b44f26b8edb6a469b19a7dae5b33f5

SHA256
89e5dc41ca4f28e73ee58be9fc9a0070343f3932d2e5e6c6cc487b55ff8b5542

SHA512
82d6361b195cd4dcab24939380af61dc769f5656b419bd85dcc6519aaee1398c96eb4c7515e3d784fde0ab5acfc6ad536b32810bdac4017760ee7f1a9bef58f9

Download Submit
\??\pipe\LOCAL\crashpad_3052_XISTEBSJJSLKYIYA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit