519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 08:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
Size

896KB
MD5

ed7e08cbee22d24abea2f04c4f2d1de4
SHA1

e4d81b7e496f11a8682a4e81978a06ddc0c52aae
SHA256

519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381
SHA512

940284a76dfdae3d79a8a24832d5838cd40f329c9c6010d7481df7e4ea95c564f95f87b68499c5ab1bc57280f9a94bd59027bbbff30d01ab9d6bb1afb6f01d29
SSDEEP

12288:aqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgafTk:aqDEvCTbMWu7rQYlBQcBiT6rprG8a7k

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1988	msedge.exe
1988	msedge.exe
2204	msedge.exe
2204	msedge.exe
2732	msedge.exe
2732	msedge.exe
3864	msedge.exe
3864	msedge.exe
3004	identity_helper.exe
3004	identity_helper.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2204	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	81
PID 1552 wrote to memory of 2204	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	81
PID 2204 wrote to memory of 1836	2204	msedge.exe	84
PID 2204 wrote to memory of 1836	2204	msedge.exe	84
PID 1552 wrote to memory of 3016	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	85
PID 1552 wrote to memory of 3016	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	85
PID 3016 wrote to memory of 1164	3016	msedge.exe	86
PID 3016 wrote to memory of 1164	3016	msedge.exe	86
PID 1552 wrote to memory of 4880	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	87
PID 1552 wrote to memory of 4880	1552	519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe	87
PID 4880 wrote to memory of 556	4880	msedge.exe	88
PID 4880 wrote to memory of 556	4880	msedge.exe	88
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 3764	2204	msedge.exe	89
PID 2204 wrote to memory of 1248	2204	msedge.exe	90
PID 2204 wrote to memory of 1248	2204	msedge.exe	90
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91
PID 2204 wrote to memory of 2196	2204	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe
"C:\Users\Admin\AppData\Local\Temp\519083820fa900ffaef3d81d0ec7f5fe8a8f8a26c5ebf9e6ce0638e01dc06381.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe56d03cb8,0x7ffe56d03cc8,0x7ffe56d03cd8
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:2
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
    3⤵
    PID:2256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
    3⤵
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,8161978481913915395,12696816707466852751,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5708 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe56d03cb8,0x7ffe56d03cc8,0x7ffe56d03cd8
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,15939693715916841262,5175989486359056304,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1708 /prefetch:2
    3⤵
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,15939693715916841262,5175989486359056304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe56d03cb8,0x7ffe56d03cc8,0x7ffe56d03cd8
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1996459785930898485,3256950922938115981,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
    3⤵
    PID:2820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,1996459785930898485,3256950922938115981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e6637f8c05ecbf1c28621dde58cd3a4

SHA1
a25f098147c2818f49fa5929b1c8ef47264129af

SHA256
62f73a99bb5b0b35536d446724a2a2cb93c77a5904eddf4a75c4f5f511fc45fc

SHA512
ab4fb53b950529509609ee4c513cf3a18e996aaa13ed7f5018ab1acf8a9b75559713e4d0f265c3faa137212439b5dd7c0a6f06784e2f0be8ec864188d4d35d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c893791b97cb36187ec4abeb81cb59ac

SHA1
1bafc5987b49bf6b62ac0226fd0a5f4dd29773f5

SHA256
7be617f941bcbe488c9a4993f2e8c5c85b56dac59deec8005f94a5738e6966ad

SHA512
c31205de9fd26c60cf1dfd7e96f5f9c2ca467ff3c7a0bcef33a881f6cd2564619ff731fc3f7f179dade3d8ddc9cd499c3ec20d0171afd2f2fc23aae73cac5118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1c82fca0a9d86848328b4cf27bd4b5b1

SHA1
db290aec5088bc922b7263fb94bf55eccef78d1f

SHA256
48472d79684712dc67350d6065748b00ca7976c6e54a55c7c2acc89712b764dc

SHA512
b2b662bd4031464134c850e0c0078e8346e60eeb0223f34b1cc97477ae9330cfa2b2d4063a53803030769091d95eb703f89e35ef1ecbefd1d7717bc3cc9c15f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a2df00cd55de11d1cbd2c93e5b19f7d

SHA1
724c745b742bd77064104eded110eded3b19171a

SHA256
b5a3dfea92afeac78d220b6497932ddc0bb90152aee8c8c281100f30052c9728

SHA512
87bb5b69e80e9f12605948d6aa54125108bc4d1193ad629f2b52cf8048ef9266c754899acb18fa43f59c2f71428e274b0fd7cdbe4462fc9015d2ce15df2d2f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e709cb68e4ec3ab6925ceb5b744584df

SHA1
ed91639a1484246494d86ac04b100bdb7dc3b73c

SHA256
bd046b82544f21f08578eba734c8da8deb42ab4b3433d8b775f33d47bc30d36d

SHA512
b4e00ee39f9c5435f696983c1ab16ecc62e9e6f98b49afcd8742660b8a94837f6e346fb9284dfefe1f846479aed804e027b3245c63a0a47583e7c9a32b7f51be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
c294a1092aa9d4ad2d050bcc760c48ff

SHA1
e7252d3f649b03d813da8b847479707b010c6d22

SHA256
c97a4384c21bd44f9feb981b362fb016e157ae2ff4e0bd76a6642253e49657ed

SHA512
e15f9b0b78679eaa7c8dafbc2447d720093a1641eb50e81ba83ab33480ff4720c7e98793115cd69aeff7df6f0f6bfff8ebd9a4133d600b144cdf7d614abf9812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
41547d1c2a89fe253cea64a73e721239

SHA1
b710398e9ffd6aa4377f18da2aa1b30f0e7e29ea

SHA256
928ba10c33c333e1a7eb00606b58b2c3d9ffbae6028e9e1fe6d87151ec768e83

SHA512
850e880e66ed8ea244f5ebe8380b8a76556af6128ac6636bc708ea2d8f2d170a9189b1d71295ccdbbb21a8643d4ea9cd9727ac7d3ab4ee4d997fe6d692d59464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
37f8dba2fdb8a76b91acbf1ea6d5d1eb

SHA1
45e4bb3277cdf7557f7bfa8f9b36f21368e97950

SHA256
b2e47d9fc9cc2eea1a2f462ad8c8c3527922c6359a2e78b9eedc0ba07c400ca6

SHA512
9f5307e24c56be74bff3f83c670ac204bd66570f5c9487286d8cb1d8e52b2f23a813935346bdb0da787fc9e6eb9fbc42200557ac565ec0cbf736ecb6da067aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
1f80df23b103aaca133638ce7c3f6489

SHA1
ef7a23c8e772db5b132d49c6fac833b1b04e072e

SHA256
aca98dfae297b92550ac64d516bd01f8a531ceda629ee96f6b3ad8d09b7fe073

SHA512
128985ad5984e17fa774b86fff73705afebb4b4cd4400969fa753bc347d92a245658362c6b2d03581acfc2f41c1daf83d711f0692ae6003b19dc3b86dc8cf5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a9fb.TMP

Filesize
539B

MD5
551c72d8d3a1ff480ac79c20aff6f0ab

SHA1
4e0d30e1dae1206ff524ea3982fe58c23ddf682d

SHA256
679b23eac7372d4355d8847845306cd52032a40bc49e7e195489708dd9a8152a

SHA512
dbcbb98f71e5cc778f7c2b2de0e0632c2ab72c855c3723aa9d8a80ccb20b35b2983440dd468be0d5b2c4e4586d56480797ef824a66ec73545f27d59743e61738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
33826b87feba47ac1cd7ad4bd92673bc

SHA1
50de9e2523fa18ada6d684ffb2a5b1c71a6e28d4

SHA256
dd033e306483d66b51ac63a46a1a2656a8943a4ec079b4172b9fd268714ef7ce

SHA512
f78ab28ba9b4e2457c98f156636afc0aa3f00a3e957289a000b86e1be0d873f08f708faeedc2a1efd3241f8f950f82a6653f45f9c40fd709e98787dc2c332eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac0d8e4a2bd1543977e6574c1314d23b

SHA1
f59be85b5c2507fc2ad1920f9dd9327cd2590d2e

SHA256
057a9389c73042fd17dad6c9d660f09289ec61b5aeeff22607f55f1ed0b926bb

SHA512
df41cecd134435dd3079c0ecd163e61bc961a39fee4bd03b624b2599a23b73cbb1972a1559ae077d022e20a44b522a66e733ff94f7e78c67dc114333d123fd80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d8dada071dc1d8dd0f3cb701ec642f52

SHA1
dd2b13cadbf652c608928d1c42058a6b3d617b40

SHA256
77c2fbafee37af7c3c4767e8d9ba30c235dfad5d6e74af93c62e4368b28166db

SHA512
cb11af005061d21a383fe8ff99f39a7417725d9d37e22efd79a28ce5e9fdac038d8154af3d77bb0c710a97e0da98b99e0b02d63b82a924c1b0644f272b894fec

Download Submit