b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628

Analysis

max time kernel
145s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
Size

896KB
MD5

033e2032fb7c7dbcdc68f8f250b180fb
SHA1

61d378f3c81fa0238b80f6b4538e84822fb3b2e2
SHA256

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628
SHA512

bc9e1ea85ef9276b85710efa6f9a808fb69008714a73d9905e4b7c33de71d383411d71dd177bebf7f4b0dd232b4c7d55d9b209264b5201ea0cc59711ed8ab936
SSDEEP

12288:0qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaXT4:0qDEvCTbMWu7rQYlBQcBiT6rprG8aD4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4108	msedge.exe
4108	msedge.exe
4684	msedge.exe
4684	msedge.exe
1488	msedge.exe
1488	msedge.exe
4660	msedge.exe
4660	msedge.exe
2060	identity_helper.exe
2060	identity_helper.exe
3056	msedge.exe
3056	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exe

pid	process
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exe

pid	process
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2404 wrote to memory of 4684	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 2404 wrote to memory of 4684	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 4684 wrote to memory of 3156	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 3156	4684	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2944	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 2404 wrote to memory of 2944	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 2944 wrote to memory of 4900	2944	msedge.exe	msedge.exe
PID 2944 wrote to memory of 4900	2944	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4128	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 2404 wrote to memory of 4128	2404	b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe	msedge.exe
PID 4128 wrote to memory of 4356	4128	msedge.exe	msedge.exe
PID 4128 wrote to memory of 4356	4128	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 2956	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4108	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 4108	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe
PID 4684 wrote to memory of 5016	4684	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe
"C:\Users\Admin\AppData\Local\Temp\b8770a44e0326d2d2eb215a1dd4a74915cb33c3b037f74f9bf829d6ceb1e1628.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ffe4fdf3cb8,0x7ffe4fdf3cc8,0x7ffe4fdf3cd8
3⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
3⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
3⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
3⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
3⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
3⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
3⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
3⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
3⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
3⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
3⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
3⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
3⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,154249187988552064,9004741917753619209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2928 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe4fdf3cb8,0x7ffe4fdf3cc8,0x7ffe4fdf3cd8
3⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1744,16308219922738938815,13579741528612159837,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
3⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,16308219922738938815,13579741528612159837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe4fdf3cb8,0x7ffe4fdf3cc8,0x7ffe4fdf3cd8
3⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,4842720490467743011,8282899370819280798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
468fca0d0673744458285c9835e103a9

SHA1
91aaf42724dad778dcb276cf23a11bdf03a5296b

SHA256
18d71f070ff9e4aa7f4ecb839c7991421f057a445ea82f9056c3465d6e271aa8

SHA512
593002b3a38fa3d961ea1bad06e116fb95be408d9a348b67f3f4b8e451d1592e6b896cc4bd65196ce0e19278005b678b858b44fa4f5055aa4cb008c96370a454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
57a42c2ea1aef33ef79f12ffc79ebe85

SHA1
b03e9d33de645a6a9e0287594d34b136853b310e

SHA256
8d593176daceb7a7d60dd7faa4cc9b121f255eeced1f8eeebfb990d2c9d3e2c6

SHA512
c778066ea482411fbf3c5315d302aaf374fe7a82fb15cbef862bd7d8e5de9654e2b66f7119adb4e2af0ea293d689ecf88eae0ca29e9f8288b01fd25951c72864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
103fc83236307c76c2fc54b4dde466be

SHA1
b738c9cf4e8d7ccc4efdcf46ea4dc2201c956d39

SHA256
3e1d25e53ca3c0c7bbf60d2e9c46f560af93462f63330e8bf7b25f10e597ebdd

SHA512
8a4b1494ee66c643c3700d6284802c6a7860ca2fdfb3a26fe8ffd07c2a8869597a0aa45320a7cd153b9b59d4e0b2649760bec3368a9a6ac05c41e1a27c6e8224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
33f9d2873b07f84062769e2f811c4a28

SHA1
37576bd5c139d336a8c3db60421baf4a203a96fc

SHA256
b51f8ed1baa8ce34c7734095a8ebcafda883683e119697348fcb399d4882cf2e

SHA512
822c1f1aa140b72ffb8dce6089a16b164908eb7465377435f5c52022a71fc8b4ef559772991dbd5b59f7002ce9d43248110cc5718638045e466e9a12980cc38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f33ad1d04300da6b7da71fff971c0488

SHA1
915d347f37d2602e230b9e0dc760ef2c7ed39bac

SHA256
a4ceba4392ce1e86cc8a172027a5f6e3d2f475132bbfe97fe549312107f53b6d

SHA512
8923cfa3b44c9015977de0c9115cef04276dcb811e3cbfc1090d2649ba30a0ba153de71716803bc47fb4f5b81b669934524d1a8a14c1536f0e299c96e5254b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
12f87fe2d1fe6abea2c4fc0dfac2a9ea

SHA1
9dafca8b1a89af9e51ad19195fbe04e4bbbe9ebd

SHA256
5c9748c1f8ab8835a6d88b125d0c200481779e8632ceebfdd1b6e4474c29714b

SHA512
5fa5729807016c50ee7478f0475cb03c1a5fab44f8adbf9ea0895ca61f612d263efd11149e5a4ea5638f783c1da3535f0508a8da7ab04819c6d35c2bc7a048a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
1384e218ed9b9883ac01dc12b9988fa0

SHA1
9d4423b3e61cab8834cf44137bb11e142ad3757a

SHA256
e72c52f7a7deadb71d769e176339d40789c39881ea92fa000a2e74b3e69a55a2

SHA512
fdbae3b5acfd09ae3d29608e834d83eaae187b62a66c900f794a8a78ef420a1b9f6b990f49fd58534d1b772bf702aefa7d1b2edd750dfac68dcc35563801961b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
60d5a1b3e2e31de962d517fbbbb6a190

SHA1
243c932dbb0ac73635a6e3ba8571ee5f6c4021e2

SHA256
9e0ff8ea8dfdc19d10bc5807b678460f7bbc66c25ab1bb53a2d43f1b70e9af05

SHA512
458522d0013a96a5659cfaf4a623c9d8b78218e508b5d3352866b0ee58d81f205757876d56e5287d211fc988285ecc539ffc5e0e3d53063b4d0230e9eeb560f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
003b567a952b7b1398bdca25c5588093

SHA1
2ea5f9a48c035c28c2c8639ca79bfbb3292647c0

SHA256
f6cdcc9f8e1fd0d2f727e9373b2a447738878100d7fe12ab5ebd0b31462bd0f4

SHA512
0d27904b1f05bd3c925eedd0c3238ab6d446c1a7003ac516a87a18d528ade2e6eda0a515cf0b280cfbf7342e66eca51fa72059783edcaa556c190138441d04a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b17d.TMP
Filesize
539B

MD5
5dd69e478161c104a4096da3542ea1de

SHA1
c01beb3dce3821fcef6e7add111cb5ebc8e107f9

SHA256
016ebdae9049f0779c3f7d96da68a3531bac9e378bea48ca399a1af99c41b4f1

SHA512
30aa520b74f4b03c5d39f394cf78ace50935831f52cee66e3ef5a157282eb15b74e859d05d3bfc7d442bb3d2a659cfb8a0e8344181dfd5d74b5db2e4614ce6b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
6ee918750aa3212c10c7c75a3d4e234e

SHA1
4e3590e7a1e9d46ef23320239a151dca57b11959

SHA256
908d519389bfdede420dd240229b054188f5b3ef11d7f97af4721462177c19b4

SHA512
7752661f836d43a09b0c32aa1831ae5a1203b0190dc94d9a3681ff7f1f89442105a590da0f5e68f0d5d4af11025f37244c12612a7acd8d02adf50c4154017e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c939dfcd5b4c7f3d00e88b59c1f28dd7

SHA1
1f6dd78f233a9fee4089a76afb89a2288a8e30c9

SHA256
7eac33c11ea380315443b3afbd486d7c4b1ed1a9bde89d24e8c483bedb7a28a7

SHA512
9f5c39ce290e04ce54fd0fcdeb7e7d6b072540141031012e4cd3760809a44bd08005dfe3d562289bf45d07d12b214e06fb7f8328335c64c477202e57be54e189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
31210fc16d82c97bf439ea0a57309d67

SHA1
f1798caedec5cce76eba8ec550cc48a7d4ea1fc2

SHA256
32dc77cccb416fc1fb979dcfab1b1ac1d85ba0654947f7e7948b2bd9907727a4

SHA512
af7b9955dd4686178c0f654f8e730428ba6d7b27652517e02570f59edc32c9a0a1b0b9015f7bd6a5d58f23fa82d31d2e277a2717ea0b7893270448245bbe3718

Download Submit
\??\pipe\LOCAL\crashpad_4684_WZBEOJWTCSWYPKXU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit