89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
Size

896KB
MD5

ccad2b64ccb9deb135af66cb5d4de271
SHA1

d7ebebc119489693464852cacb4f3e421f092d6f
SHA256

89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a
SHA512

7d880ce659b286e869022cfddc5da7904a0d4e07deebb6cb9f1671739886e20711d787b221d39685846a09a11227e362b5f1069fcaac6cba43c746d36a7c7244
SSDEEP

12288:xqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagT0:xqDEvCTbMWu7rQYlBQcBiT6rprG8a40

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
4808	msedge.exe
4808	msedge.exe
1080	msedge.exe
1080	msedge.exe
1752	msedge.exe
1752	msedge.exe
3628	identity_helper.exe
3628	identity_helper.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4808	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	83
PID 3012 wrote to memory of 4808	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	83
PID 4808 wrote to memory of 5088	4808	msedge.exe	85
PID 4808 wrote to memory of 5088	4808	msedge.exe	85
PID 3012 wrote to memory of 3476	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	86
PID 3012 wrote to memory of 3476	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	86
PID 3476 wrote to memory of 1732	3476	msedge.exe	87
PID 3476 wrote to memory of 1732	3476	msedge.exe	87
PID 3012 wrote to memory of 4812	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	88
PID 3012 wrote to memory of 4812	3012	89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe	88
PID 4812 wrote to memory of 1132	4812	msedge.exe	89
PID 4812 wrote to memory of 1132	4812	msedge.exe	89
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 4404	4808	msedge.exe	90
PID 4808 wrote to memory of 3960	4808	msedge.exe	91
PID 4808 wrote to memory of 3960	4808	msedge.exe	91
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92
PID 4808 wrote to memory of 4496	4808	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe
"C:\Users\Admin\AppData\Local\Temp\89cd163170a0082449f7719a6b0ee0c64a3a5e1fd339a8546866a13abf0b2c1a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb8546f8,0x7ffedb854708,0x7ffedb854718
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
    3⤵
    PID:5392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3247888196504445446,5637199204277039173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb8546f8,0x7ffedb854708,0x7ffedb854718
    3⤵
    PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16387459312535550661,1695379254462976361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16387459312535550661,1695379254462976361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb8546f8,0x7ffedb854708,0x7ffedb854718
    3⤵
    PID:1132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13193183637209733951,7201746217434243070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2533d6458d03f52e5291927cd4cb7f9b

SHA1
9a2e81b872db41ece73f9955fec4271a7e040218

SHA256
4d7f2dee262477f8f6e6a0e2df8d462b4071df5300019bf85592b30087e05ad2

SHA512
d49eeee75b65f23fd447bdd6e31bfb8c3300c9a950741ba4281d89bd5a568bb774f65d7cd91468ea8aad13d9ed775eb8b2f82315a92d70623c9e9876641df9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cbb9b48ba88f84189310f5459f9eb225

SHA1
f0929ad19f36dd7e92838a7b142fe56485a15ba7

SHA256
22156ad7f0ff1f9373e8da5935f430fdfce02716cd451d9f5075a259a9747b04

SHA512
e7d9789013d15944d7600fbc653739ae7b7388e95bd67b33fd732f7ca4c0b54f0de2a8867ca71ff10b815e2e5ae33af3d18110d187e35964d0985ac1e5d0f504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8b5a95e990283b17de871bae6150f005

SHA1
ab599f71e83dbcbde739e47a9f0b046a4ee7da1d

SHA256
6ad46131966c7fd4cc39fb89c1a59e708cd5cb5b0fa3e5fda4fca64308746780

SHA512
ea545b3041b5204232b3eff9c5a3c0e96b48622f04f0b5c71684119b691117a1e1b1bca0eac0a0cf94e93237e5fd8b1d013a3fc7d0cb18164eb7c4634b866017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8b2ac04ba63b30d842dad4c468f93cc

SHA1
3c534ebb62079773a94c8db1931cba541350b878

SHA256
9ee2fcecf06a353e40ad4bb65584189fa931fb0f1e1bd05303d82d2b57970331

SHA512
05e97dfadeeec77e6b8c1b1fec546fc2c1d18c40ab7c3b68ecd8762cc70b6a39299faa30bb7cbc415a7d88b052eee1993ca25a4df60749c3cd012c8c6c8256b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3657fa3341eb17cc6e51c651dab9668b

SHA1
52b9fa8fa252ed2cec1717e573c7a0582bf609b3

SHA256
3ceea66d9db5a59c7406704f82612380a26ac6e1fc02ee63ea00f624bbcb682a

SHA512
99b766542d88fd90c6a6a77c6d6fd52dd8f9b7e48de1823d8ba93c4245038718da57feb7aa82c7b9f8df8b13e64c8f4f694f62589e8641a32fe60af942ab2686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
892caa810776499d7a7eed5025bd48a4

SHA1
b6b2a64510a4e95d8bfe735d5108dfe49bdd71f1

SHA256
bc389230f39f987043f496f81c93b1fb477d7711338d801e1da01b7816288a76

SHA512
189a1936b99a67e0b60de39aa6ab30e13c3248a5d75f618ed77a152b745eeb548f3fbef423c74abd8ae54a22d97c7127ef95c861878349fc98dba69e1cf13ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
142e30e6a736c52ca1bb7c4ef6061aa6

SHA1
9eb15ba9e1eb62ec4909b524b539b3050ff6ff44

SHA256
d02aec217fd7a04345e425a48a5a64114093eeb58548b66075b208a70454222a

SHA512
100f8a4b551a96142684f36cbd59909a24b13f2b768e5bf0a85583b17b55269ded3f0e6399df563afa824891b17479a23b534910790df51751a8be6f22c7a2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
8cf247f57e8de2d36baa45178adacf41

SHA1
a0291eff96d4a56665a8531a80dc93def1b3b8bf

SHA256
7db8cc8ac7068ab6912a4279adc6987c1e75547fd987048a3caa0e263905d1ae

SHA512
56e09db0e4c235038a78aca53bb851f984023a03c2d073f0ae2236bcbeecb121add52c15cb0116640bba18a19ddaa2471096762e827be2732044879ebb1341fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
774f3f924e6562bbaba57dbea3f17b6b

SHA1
657c11d201077138246ab37c0e4a7e17450b5aa7

SHA256
274737c83bcbba8f60b5630fff251b78f76c26edb6a3e7c582068832575c5d37

SHA512
26c63adee402866c5403fb8eedced71c55291bfaf19b75e238e5f30afb5ef15a7ec6b4f48ecc878248ef9fa8c06d7e1716c7563494f355bce2503b4e91b7d65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b6772caa10250586dc58d69c23798052

SHA1
f6fcbeb508cef3306d9cca7ec635a81b18d41f03

SHA256
f04af759dfa735bae0886d2b4a5b143cea3fbcbab717649d90d6df1e1b9ac5e1

SHA512
0db7074689ba94beebfa928a0597381f20627640e68c612eb622c403c093266ea92f5f3db4f8516a550b16c06b3cf3faa22defa2c26d6c8c38ea404c941cc99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a596.TMP

Filesize
707B

MD5
8f2e089f6970e878e97c9a84e67ad8f1

SHA1
8488f62ebcab1f44123078afa73a5702e9c60af9

SHA256
603247c857738928da924d3d71f050b76428dd4f6f70f3da216e762dc793a787

SHA512
9764d1f88becede3519ed185399bafd443e5e27aad1c4f672af735b0bc3faa341a9015e25f3cd87d88c3970a0d6597f889e03b8d7010978e70d4e2f15951fcf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
157edfba6871f5e307a362143f19bc46

SHA1
c786f4d8bf2246a4bc2588b398684a1f12c356e2

SHA256
0ab2ec1587423a40c313f4f03b37277cb5df3bcf05dc9db4665aba3bff52431e

SHA512
572fbfeada1746b601bc12c39dd7f943435fc4163a9859852299f9af6831c5ee6d3ba1156c7bb1953b21c009b90c5e00940bf3d190005bdb2e05c73aabb8416c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fd1c011258988b5abd520686f4f69af2

SHA1
f2ff5ac4a3a35eedaaa67006ebf845aa4a950766

SHA256
a32970e2fa6ebe542d15597921036d2f9eff15da49e0e19529ef614ce4d82adb

SHA512
a214909589f94cc7180e8f3702f3357afc6859b19b4596b7a09df9236119ca8467bb4d3c9129277136191ce6a9ad677d6a68f8a5d38eae9dbe324cc7d706a13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1934b6d9f5622b6c5ddd6bfd638c2b30

SHA1
007c09e2071904dd16009c1b2fe4a3afb1be050c

SHA256
cf4f7973a938c4db53f9502cc9126e62a930f0c9a79536db9620a02b09e58d54

SHA512
7846a7e685a6bd466de76ea498b4c577963307ee8d3205819afedc4e35fce6fc560da71245885027af840d42678835214593daefa2fecb5de7d3aee44e53d563

Download Submit