230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07-05-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
Size

897KB
MD5

2efdb22a000eed1b183b24844d35f034
SHA1

34b15b991df91d47fbed3084304dc1f1781652cf
SHA256

230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531
SHA512

ce7fb4de4c62bca02b3316d275ada6edd340efe2e5ebd7b1a19af37114a11766af88efb5cf58420740ca4392a7f5034ca5463bbad05559e575c1be6c47588bc5
SSDEEP

12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTU:GqDEvCTbMWu7rQYlBQcBiT6rprG8asU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
756	msedge.exe
756	msedge.exe
2136	msedge.exe
2136	msedge.exe
2888	msedge.exe
2888	msedge.exe
3284	msedge.exe
3284	msedge.exe
1420	identity_helper.exe
1420	identity_helper.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 756	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	80
PID 4632 wrote to memory of 756	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	80
PID 756 wrote to memory of 2204	756	msedge.exe	83
PID 756 wrote to memory of 2204	756	msedge.exe	83
PID 4632 wrote to memory of 2800	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	84
PID 4632 wrote to memory of 2800	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	84
PID 2800 wrote to memory of 4464	2800	msedge.exe	85
PID 2800 wrote to memory of 4464	2800	msedge.exe	85
PID 4632 wrote to memory of 1424	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	86
PID 4632 wrote to memory of 1424	4632	230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe	86
PID 1424 wrote to memory of 2460	1424	msedge.exe	87
PID 1424 wrote to memory of 2460	1424	msedge.exe	87
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 1616	756	msedge.exe	88
PID 756 wrote to memory of 4888	756	msedge.exe	89
PID 756 wrote to memory of 4888	756	msedge.exe	89
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90
PID 756 wrote to memory of 4112	756	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe
"C:\Users\Admin\AppData\Local\Temp\230b9aa49bd2ea7cc1e1fea276ae40339890fcf0a022e182d0d962c316c16531.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe2cfd3cb8,0x7ffe2cfd3cc8,0x7ffe2cfd3cd8
    3⤵
    PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
    3⤵
    PID:1952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3284
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,14282954273355028350,1732624430848995131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6440 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2cfd3cb8,0x7ffe2cfd3cc8,0x7ffe2cfd3cd8
    3⤵
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,11514274208478139157,15122533132279525481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe2cfd3cb8,0x7ffe2cfd3cc8,0x7ffe2cfd3cd8
    3⤵
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,11380297328507264047,9646378467078287015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
836e08eb06480cf1daae99da57039ed6

SHA1
5c7dff3028e41a7a082f4ca9237d720b0dd6229f

SHA256
fa7a37a6059fea4c7e9a158a337f4aff22bd80ef1ad963c65348488ed2122c86

SHA512
2bf8f79ad5e690fc56081200bf101dcd96754d7384679ec204d19e53e093efea730c111c0c2c9bdbc9bcdaf7396ed541b25fc193f78ae376fdc1688020d72a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
35b8395c052d36dd5ad595a8e67db4c3

SHA1
2cd5e13d0e906e5cf011437b7900e88aa60e4e49

SHA256
cde143ad2794d316ae8d401d450d95efa6d1421feb8fa3d8c3b95e2b0d98e07e

SHA512
acd073b1b95b0317ebf05ea3c146e51a983cf981cf36f5cefcec2f04ed01002e941c99dfe71cca224c0abcb28d3397a7663c92a4d311366705b3f5239e8ab4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7a4d12497cc6f70541dd1213af25ed0a

SHA1
70cdcf1e0ba89a31c22d6e78105e62d7efa61a7a

SHA256
9af63612e0243e5b5dc6674c34d40573f44a4260bd53b85f9afdbc64b3cd55c0

SHA512
c1fb5390190c8056b0ca45095c58b137a438bc38e2ec96fea4cdd9ae1abcab12bcc1e163f2566d51039ae736cc40a6cad73f70e44482d869fea5fe8d389a0f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f6c10be6d7a8d665d37e150f9d63fe3a

SHA1
2075b6d756c7427dda697eb63f52a2a1420b8fd2

SHA256
c985616617a632a4c9f8dbc6c818679cb28aa63d3beb1a679a1f0c492f392c65

SHA512
2958e93b1cac4aca5ea2c68cab9a84cd1eeaa99ee86df6374be01e42c9ccc79dcbdf0e6b7b3685ae342cac658edf378affd217fdb368e5da6568581747bc4603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
52e79e213009ad64fc8660e4e9c637bb

SHA1
f236861ced3bf6abd7cf0855dd7d3c888a4bc184

SHA256
00d5bc7caf2ca9b23f442cf62136175d605f991db3173fa2c5be0721009cb823

SHA512
b2530960ef6b202661816663d91fd0ef5fd9a7597e17fc348de1f40369486fb6f5da6886e9ab735f1d4a664a8d3400e2579a272d5da8eb281c2b0e9202121154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
2e38f4be278e438edb64d30987eccc76

SHA1
c3ea580e89b20e088ffcbf49b8baf404f1fe9867

SHA256
0881975490f58509726c3acaebba64b0562cc74eab63440cb91b960bab589367

SHA512
4ead7442a1c39c074b68be9efb5aadeb8d02232cb4380969300ef26b1893d2007b181b9571839f84fe8714653be85b96058d1012a51472f464b15b505294568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
a4f04bb1cc0ef08f5bfc7f477c1423fc

SHA1
533f718b4d25b0428e5728f89b5badd7dd5cda55

SHA256
5531d127903acd1b635e65f37db7dbfe2b314e7f3cd1f2b03e7a3d404a7b3d03

SHA512
9551cfbcb52c9ea335fad7a34772e46f462cfec11ba020298b2f6c4f2dff96bdc3b692175f53067e4241357e2d57fc3768daf486e95db4a77cb2451dd81c975b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
3b17336a948dcb1e133d60d9f5c24f41

SHA1
99ff16a4f7d4ac6921c13fd59606bb220dd65f90

SHA256
cf46f286ece3734fb0e0d79c1aca2d71cbe09a8cea793cd7135e53a8ae673cae

SHA512
878532a15fd4ef881e13fe075aa962f97ff12629ecf7083f4a6c39aa66ff860e9c07b47f7202df5fef2e27d9a620628d55ad64cea2b090242fe567c3cf76e629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
375feb1753affb8291514104918a9017

SHA1
7b4c9a4318fa372f7bcfdabed53972c918c882b9

SHA256
e1b9054f66b5e8d8e2efeefb7409c575024f2b1965b4dd94c9c4487ca15d3016

SHA512
631de0bb8767dd6870962aa1fd7e480a8cbd5f81f7675ae887f9af1272332f00920a53faa217d398c1b00b3720461401942770517140ee938e6477b03599da42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
aad049dd0071ebc06087df43bcb70557

SHA1
555f86366b410847d574d8eaa98d2556e2b59ab7

SHA256
3e968bad54ff75b7b312a1ade963bf7e284f78db3e6fed03fb692edb90c4d71b

SHA512
e02873063186e53f0aef5d9680d821c40477e958eca0a0501fc586b9681d965c97e4a1cdaac316d353f645ad272c22cb02b495c2f0b907c4f3bf510c713949b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b16e.TMP

Filesize
703B

MD5
1f8852119ef9c0319318eaaae0a2f20b

SHA1
3627843004ed58badda15c898ac55a1146aeb95a

SHA256
c4d1bda99a342b6f8959d3f327621aa132d26be78429208e94d7dacac2c0a4e1

SHA512
5aa0975bafd923263e8804a2d17d18282046f57d83aa831bdcd11f34f790124e997e0220e530e222b37a241f5a23a3bd3d7412d512994223dc236828d9ad838f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18eb156c9b7d0b9887d165ccab0dec6e

SHA1
bcde97d0135fef86ba024d4b334ab729949ed7f7

SHA256
cee192b5e28aeda9a66ef4bc98e19ae25ce60eead3aa8c90bf89f6fb1644b938

SHA512
9e63f0e023f4eed7cde1c10f8316baabd87cb4d4690794b3c8ed058f320976a26341fa5fcf2a2f7127077733466dfe8298957b68d147ba796975199fd26d13bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3138eda694dacef1f3f74915c5b94054

SHA1
0110090b05b2986015de7183c16489b5a9ab7a96

SHA256
70ee30c93605d97a7e188ad160f18432b2678f9e60ebdf45be8e16306bcfc75b

SHA512
ab697317d64c9dcffced43f801bd03e821d78c2ebbd90b0493b26202a59bdfa5b1db11804ca81e873c2fe510244c886f312c8f867199472d551e6b1516ca245c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf5b48a7a36066cbb9495fd3e0a993ce

SHA1
4df115e94fe6757875406ed090ffed261e043e27

SHA256
e457babd057549c186090e9d6f018ded3242215ba1f85530a301c0308ac636ba

SHA512
b0c0fd2f997b95a0bf928d90fd23ab4e36c8adab19e698b431668426859abce2ab2a3bb962aaf25807d4cfb22b7d030b1171d7a54813ad1ffdae748c447ce16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b1111f98d49f3f4a5619a106fe574343

SHA1
fc509975e39a3588f73a4ecd99023ab16b46ffec

SHA256
4a29253dac0b47015819f6974191f525c94a358bceae863fe01b1782ec3a53b2

SHA512
618152cd6e05997dc2649375356fc18bafa91348caa042f19f6546e3c1ffbb539cf0be086417705be15a1f5a5c52d1989b51e4297e8ce9df5703d0c53865482e

Download Submit