230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
Size

897KB
MD5

2efdb22a000eed1b183b24844d35f034
SHA1

34b15b991df91d47fbed3084304dc1f1781652cf
SHA256

230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531
SHA512

ce7fb4de4c62bca02b3316d275ada6edd340efe2e5ebd7b1a19af37114a11766af88efb5cf58420740ca4392a7f5034ca5463bbad05559e575c1be6c47588bc5
SSDEEP

12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTU:GqDEvCTbMWu7rQYlBQcBiT6rprG8asU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4832	msedge.exe
4832	msedge.exe
216	msedge.exe
216	msedge.exe
3656	msedge.exe
3656	msedge.exe
4644	msedge.exe
4644	msedge.exe
5356	identity_helper.exe
5356	identity_helper.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3656	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	83
PID 396 wrote to memory of 3656	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	83
PID 3656 wrote to memory of 4624	3656	msedge.exe	85
PID 3656 wrote to memory of 4624	3656	msedge.exe	85
PID 396 wrote to memory of 3716	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	86
PID 396 wrote to memory of 3716	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	86
PID 3716 wrote to memory of 372	3716	msedge.exe	87
PID 3716 wrote to memory of 372	3716	msedge.exe	87
PID 396 wrote to memory of 2004	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	88
PID 396 wrote to memory of 2004	396	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	88
PID 2004 wrote to memory of 3172	2004	msedge.exe	89
PID 2004 wrote to memory of 3172	2004	msedge.exe	89
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 684	3656	msedge.exe	90
PID 3656 wrote to memory of 4832	3656	msedge.exe	91
PID 3656 wrote to memory of 4832	3656	msedge.exe	91
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92
PID 3656 wrote to memory of 4536	3656	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
"C:\Users\Admin\AppData\Local\Temp\230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d3c46f8,0x7ffd9d3c4708,0x7ffd9d3c4718
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
    3⤵
    PID:1348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
    3⤵
    PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:5748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6394430724552712266,1612894781885276101,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d3c46f8,0x7ffd9d3c4708,0x7ffd9d3c4718
    3⤵
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15873712009634592579,10128633818943651730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15873712009634592579,10128633818943651730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d3c46f8,0x7ffd9d3c4708,0x7ffd9d3c4718
    3⤵
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2800143084133109369,11020495796457935906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2800143084133109369,11020495796457935906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
44b6fb197cd9eae57eb95441f3669888

SHA1
f806475ecc2f8625a77d46dadf30f781a35fb921

SHA256
7d762e91195e23758b435c856f32cc1e0b4c5335f3be3dde8c8930af25500240

SHA512
50ddedcf8d16ef3360989356280a1c08e08be0679814caac852e5c04b0203b9db3a69f9229fcdde00533c927906a924becce904fc343488b214b9f5568cc13ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
be254922b62466cbd598fc14a83277ee

SHA1
066d7e96081a2b254aa866fc93edcf043e5c04c2

SHA256
b399954d8664ac231f3067d78add1062a899624a4d734330ad627106d8fcb518

SHA512
5baf986c3edb56bd97b86247ca66e4885228f325ae1768f20a39369d6fccf9d9e36b434c3a9e5249559596c7523413c8984a41ace74f425fa3e926c9c6f50fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
eb369425c2b68c158f2945098e930dd9

SHA1
4cc0d3bcb3f462a11d19699ab72227f29514de4e

SHA256
96e2327e2bfe07564e303ab7e16b0f0e0eb5068be69da0880e6258bc1068ae0b

SHA512
256361d939bc4067655bbc2ae0c7a347ff884b7cd94f61640ef4e389ed1f27771543523286924851c8218a9d78700771cee7644003f9689cd68afce7d1ec1875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99a2a2c72a536f912b1e1277489db003

SHA1
36d1ce7f7c20596789a2be16d770bd5c443aea6f

SHA256
694f1c996704587d24aac5284d0876a290d693eb08bedd32f5374d5f45d00a13

SHA512
22bd16d6ec6222e9f7809cf66e6efc1bf17c5f2622175f4b32b43fbfe64c85c5c3c59058696157c8df7514553af13cf118d8ddba0d2c575300de6fd04130c7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ff3f6f86aa6db1426bfe644a954b07f

SHA1
f68a6375d429b9ba5e428c37f5451518f02d04ad

SHA256
ff1de6cc811f83a981f7613fdced8323af17eaef8ae4704a6513bdc89d45f5e1

SHA512
967275633c93d242a7dcf4c9253a1ae3e246455ad65a1b28ea971fc9f28192315cae31a81275176485206d0d44ee8f2f0fc91f46462613d04bea41e85dabc87d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
743690e368e93f5f047c7a6fbdfef8e1

SHA1
5e7057c2e07c8c149f4679841c9540ca18f46394

SHA256
96b20f649caa414e6d4bb0328ea09d8c04588d5030301402bc86aee43da027a4

SHA512
de71c78444b19e0848982ec35b7fa6c5c1e452f4ee67282d17fde188772638f855152a24ddcba2d153e06643d6aa003e0f0124084031d1669f1192421da44eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
0709f4ff3574468f5e4a1a9ca6e9429c

SHA1
08c514c0811acde0d8d2dc3a1093bf30819493b1

SHA256
c21ee950249f05623b7f0443240b269709e469d188155a06275203a6fd42eb54

SHA512
a42c9fb1158a2f5f0b7d9306d4bf19ae6503561431fbb164667ea68083b7a95bb60588c5f42363c6075e31244cc87742df833e8f5a3ea72e4c7bb29b849504de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
c1de0a7d8bfcf5eed31a0e7b0840fb89

SHA1
b6179f6ad22fff28011d59e89b46d4fb5a77e586

SHA256
9a3c7e65ebde6b70901554609153ecbaec90b7137fb409e9fe59b438442852d7

SHA512
55db878edd94c9cb0abed350dd110a5ec42b952f01d03e23059b7ce27b4f462607d43ad9f2ea939c6c665db171d219bf4328f61bcad7cdd2adff0f7ca9733725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a452be614a4a18630cec3f915dadae4b

SHA1
a07eceb69cacc49c4908e59b7dd72b8930c034e0

SHA256
88336336593ad3bb288e32707b3e24649e4aa1e4f6aecd843f88f9869cda15f3

SHA512
d38e04d8c83d9240f8e72fa0ae9a5458fd9985074421953a1143c2fd95d3b6ea206b69f0fb7e1ce6032fc4868fa6925963ea7b0618c5f2a9e1bf0130f0a7356c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57922e.TMP

Filesize
707B

MD5
0b10b09209d2f525327d9ac567c7a5f7

SHA1
ab3332e0e185c360d9a49ee25071621df909aa91

SHA256
245c764880380025401f1c5c4582c67ce9ce364364fc7bdf9f9d5c9cd5413bdf

SHA512
465772db3db3a10f6fa7042fa4523ba16c1044d5ef2bf9bd19e9867c30bea3b3a5450755779f058d8d83dc700d546f225662f532da8543265229af84c4f3331d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8023d6d8d3cd624ca1e6ee9b0e75b495

SHA1
dd00816f4d94f52185f5147325624ee4b6286d24

SHA256
be04bd12139d2cbcc6d4a84ac5d5cd5f0c1fb6b7a09aea7551e1f7b27ce808e1

SHA512
09d9bb2e78b7cbf8818333f52d1d49b03bacce7d3c33abfb9c65030216ce61ef42fb57d51f2c302e433060137f80290c3eaaa214d94b15c18373d28c3e25512c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
80571cf9e951e632dab6694e5c5f1a42

SHA1
1438d3c599dd93427a78b769b53dbccf2eec59a6

SHA256
793e79712b0c27673c5585c62ac9ebea72f40ae21cdfb93f11ab62c1c6b30e69

SHA512
0bbddb698b0c38c0c1e4a4c7de316a9ebb26eb926bb25b0791da98dcb5b023f72669bfc4c33bcbfcaa4ad356333dad77549053bfacb48f01f8aa089c56b391b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ee320dd840fd250de05d6803fecfe21

SHA1
261bd0b9ec5cd044feb6545c1a10714948ecea48

SHA256
de2253570016dbcd31b0f9f32f415eb2e8cc7ecfab77f4e9b88de55564a93bcd

SHA512
b738852d26d6a7e408877b6ea950a8bf0b22b192197384f5bce437810b793a8c61beabac086014e907f7f18e82498a383a0c665c0520a0fe250e1c29d84713ec

Download Submit