bd0fa439ed6dbe52d1c3062d92142b42328665187fb4fbc875a4be4365cfa101

Analysis

max time kernel
265s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

login
Size

14KB
MD5

56eb5c77c4c1f4e00e085346af419afe
SHA1

5b62db3d3b450268721e63803c637a594207919e
SHA256

bd0fa439ed6dbe52d1c3062d92142b42328665187fb4fbc875a4be4365cfa101
SHA512

fe9a3d11877d30d1c7d139f2efc1840fa8a9e0dbdf1b7411d6458b23bc02b3a83ac4b8357aa61ae2263112e311966e6072a30a3b5d253b89fbf44e2244596fe8
SSDEEP

384:sedSZCXlItSJ+0e0lTMsq3rcm1tJE9pNnMMlnvhNnAMlnNEjBMmMmMN3fVWfL4nW:sqSZCXlItSJFKsq3rcmJEXNMMhpNAMhk

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592237159646103"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
3652	msedge.exe
3652	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1548	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeDebugPrivilege	1548	taskmgr.exe
Token: SeSystemProfilePrivilege	1548	taskmgr.exe
Token: SeCreateGlobalPrivilege	1548	taskmgr.exe
Token: 33	1548	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1548	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe
1548	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 544	2040	chrome.exe	88
PID 2040 wrote to memory of 544	2040	chrome.exe	88
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 2764	2040	chrome.exe	89
PID 2040 wrote to memory of 632	2040	chrome.exe	90
PID 2040 wrote to memory of 632	2040	chrome.exe	90
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91
PID 2040 wrote to memory of 2632	2040	chrome.exe	91

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\login
1⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff475aab58,0x7fff475aab68,0x7fff475aab78
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:2
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3588 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1928,i,15625501892454766775,8364182116116456688,131072 /prefetch:8
  2⤵
  PID:1528

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3120

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb26b0e51hdb65h41f4hbf0ch4f48fbdd7430
1⤵
PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff46e746f8,0x7fff46e74708,0x7fff46e74718
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,880694450159513781,11358579582544587979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,880694450159513781,11358579582544587979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,880694450159513781,11358579582544587979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:756

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}
1⤵
PID:2388
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}
  2⤵
  PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d3f4d6373c1d19559020a1c1b529bb8f

SHA1
29d9d7e34bc772124a58c0d2a3f461b63c2293b7

SHA256
db091778a749cbaa9ad10583750c5b65c08427ec83eccb1fb25f4c8baa8080a6

SHA512
2dfb82a09f6cc549b1eeb7033dbb8d28b8caf4513f747326af198ab2d4b7f6260b0929dc9dd79911c9ba81e97cf098b9d53c3dcf0053869431bf420e92a3ab51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f3bd7f8661da74f6c90c681ce4f88431

SHA1
27301b547191baf0b5a6393d5b375f8d58fea308

SHA256
c0e27320dd637d5ae4516e29f3f46440a9f23bc341cde98918f556877551c483

SHA512
82f87708e260d4ba56501b88735dc9d2001a58622992980d0fc1ecb9832e9f0d0d31a34b2ca1b522ea08fbead54c12545f298146ca7620a19dcacf95097ccc99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c7f358b33e7978a183cb6b16d35f290c

SHA1
72fd141e3f4ef0796b607eef3e1bfc0c1be15ed0

SHA256
ac36ce6fe5f86deefd56e5413921a9000d5a47e6f047856d3b7817e4adcce4dc

SHA512
73d69d2320b774876b11bcf712ebcbccdd5efbbcb08b7911a31f471b620e2cd95c18a8b4759f8801f0280ad81fc62e735802814e819203b803a978974385af23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1ca8174c8d66f25c364ac2a83f4c4672

SHA1
42dcf07830f3f3cfacf66e2be35742cfdffab14b

SHA256
00ccba588fd4ed74de31aca16851a03f324943358d8cb5e1f4f33cd99f1cf44a

SHA512
e7f7939c950a0dd1e229e03ec3564f05dd7cf725a65819b1b676447a0c68a1259761ce927f1c8cb8847ca70f3d28520ed30cde37fd57c2132c125d96508a2f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
abc756fa89670754f87d45224bf9250e

SHA1
05197c9932abcf8d7b69323f7a77deb70a60c1ee

SHA256
7809705050a06c91aced69278c202834b1f625226a1323d5bf0f30e211ac306c

SHA512
aa3c5972c4a91e811021ea9fa006c220760f169ba5a09d8ac0271562a0a610add9e7e72895a0237f96b939dbdf0094487ebde3b802bedafa19606adb447aabe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4b5db67052b8176d8c970fcaa6d242c3

SHA1
16e9e3358c4ea13e383a5f5ec89787c151142c7f

SHA256
5dcd82a9249dde58de6613c0c571a433ff5d3754abf74b483cff9350aa2f0eaa

SHA512
831c81785409cb3b8e470d1da8c2bd2c43cb06875646968ea92e53da53dd85765df845fa5c10fd98fbf251731da633e01959338ede56f1203293f0ab87e5f14b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
d22dfe163043793a62fed8f84612973d

SHA1
349aa7e038085ee5d5dbe4ee67e472d367418ae4

SHA256
5798768015dd94cdd9ebf8578e781046bca2b1add2b62091beefd8883de1578a

SHA512
0663bd24879c56320de136ff2f14cc448b91e81d2d48b2d62ca6e667b76b81e2d07c5439571b1c301db9bba650cdf2cd640fc74d647fbe091744a5f2d3fe94c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2711008816271333ce5b3de1d3dca878

SHA1
dd093a3a18608fdccc8086b1c5ba98ce9e95714f

SHA256
3f3873481c9b6d8c6aed59c30035c434131fd25b2abe6ae4daf435e6c1552785

SHA512
7da49147eaee4b36b95e71773010ed5a48ee2a0cb47ca636b2fdb2253dfa8d31b79c2f9285f223d99a2c347df2ed192337216a5a4db0622be8904efd1a9f0292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
924f0e006e4a9066e4810f5851435be0

SHA1
c20ac2aedb82a35fc857b65b13c6a4b41805d802

SHA256
4fa41f6ac4c42058548191c5dfe85dc1ef7f4bea5d6c88c3a5abf4fa3c70fa1a

SHA512
9871c6709c786a07638b896d7e40f155b2a73bed754a75149bb87c250070c8bf4516de26ae77f2decd7f1d9bf02eafa134d13344b3b6e99579b1e3867bd5983d

Download Submit
memory/1548-159-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-170-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-169-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-168-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-167-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-166-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-165-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-171-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-160-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download
memory/1548-161-0x0000017FAAB30000-0x0000017FAAB31000-memory.dmp

Filesize
4KB

Download