4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/05/2024, 01:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
Size

897KB
MD5

e706a8a27c019131e71a67f6435465b8
SHA1

8bf1019c8d824e587986cf2476548d4eb5a6034f
SHA256

4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d
SHA512

4f989024756a06c5efc3e7d04ac2feada6b8b07f74922f52b4d82a8aff1b6ae6b7d15aab151cc9cdc60954538b3a92d92a36fb690ac67f042e8e1960ff1841f5
SSDEEP

12288:IqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga3T3:IqDEvCTbMWu7rQYlBQcBiT6rprG8aj3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4464	msedge.exe
4464	msedge.exe
2728	msedge.exe
2728	msedge.exe
4592	msedge.exe
4592	msedge.exe
3760	identity_helper.exe
3760	identity_helper.exe
4836	msedge.exe
4836	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4084	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	78
PID 2632 wrote to memory of 4084	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	78
PID 4084 wrote to memory of 3312	4084	msedge.exe	81
PID 4084 wrote to memory of 3312	4084	msedge.exe	81
PID 2632 wrote to memory of 2728	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	82
PID 2632 wrote to memory of 2728	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	82
PID 2728 wrote to memory of 3508	2728	msedge.exe	83
PID 2728 wrote to memory of 3508	2728	msedge.exe	83
PID 2632 wrote to memory of 2496	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	84
PID 2632 wrote to memory of 2496	2632	4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe	84
PID 2496 wrote to memory of 1168	2496	msedge.exe	85
PID 2496 wrote to memory of 1168	2496	msedge.exe	85
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 2728 wrote to memory of 3388	2728	msedge.exe	86
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 2728 wrote to memory of 4504	2728	msedge.exe	88
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 2728 wrote to memory of 4504	2728	msedge.exe	88
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87
PID 4084 wrote to memory of 3600	4084	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe
"C:\Users\Admin\AppData\Local\Temp\4212b309ff4734781e9b7b80edadd16c2cf726fc7ecf15a40a1789a34345ab7d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc95a3cb8,0x7ffcc95a3cc8,0x7ffcc95a3cd8
    3⤵
    PID:3312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17342716530211230999,18191858540174215730,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17342716530211230999,18191858540174215730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffcc95a3cb8,0x7ffcc95a3cc8,0x7ffcc95a3cd8
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
    3⤵
    PID:480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,26719571893977654,10839191862186686864,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6456 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0x48,0x118,0x7ffcc95a3cb8,0x7ffcc95a3cc8,0x7ffcc95a3cd8
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1535772622249651603,17381690351569700467,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,1535772622249651603,17381690351569700467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
efc85768b5295adbd90afcf12f98d907

SHA1
2c5a919f973738ebe916e1637090d0c468f2e0da

SHA256
69492116d34ab786098cfc7a5d3183a93e0d5235713b1bf22f3f16f1634cc132

SHA512
afa1d13f67afa5935303b48793daf58fad5bc89f94b8ede3fcea91c4b597c184ffdd47f9f5105df001c60148aae054bd24db53b43f5ecd7ea9f6647b8b449595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0f714e9154a81b60cdb4e69b10da4605

SHA1
cc7723ec360fbffc9c1cc1fa75b68c6ec472fa4f

SHA256
26bbfa3bfb3b51d6e1e9418c94717a19fb8a805911bff7a2e62c18037cf51f21

SHA512
ee1e1ecf35c0c706d3f4266e57bae5ca92eb8aebb605c1789e73cff2d06fd3ae4b8696b8a1f4e294fd11456a894bea799f8009ec615124a09afe40711dbeba55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d53dd3f264244779a3932004cdd9e36

SHA1
2b3fdcb38149def49e048ccf2f7c7887fc95c5a1

SHA256
49220eeff15e9d80e156bd60720f632a0439a263e373794be244a51d2f5577c8

SHA512
8d8e6d796c45b57dc7a2dae37e0e68b49792635b3eef2b149c45618024898c0761abc4509af8f5f358ee880bd1525d5ff45c7a9b1d71cfdbd2e0958c78a974b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5cbfca3b1b1d25cadac0662fb88276c1

SHA1
789069e8d821c6b2942cbc52c2b99768429c9cd8

SHA256
44d2299a0b3f98e4d9532fb1f062e7697590f2338bf689bc82ce54118b8ea298

SHA512
0ee6d499e5fdfeca9bbf4d171e82815bcf79796e0f6467dd9ce95a3890cddde5e1e6a81cf9f05070175af88c1d741418a0d674e10b674db6717202a081bb359a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b2fa4b5a6f5260366758918b10e6e1f1

SHA1
01168b69e5f9c76aee65f65308363395e92f1f8b

SHA256
c58b0d5997c6c1c4be3a62cfa437a0b7575efe0e2829795813b099454dae59d7

SHA512
a3c3bb543353cd7cfa38cf4baf9c749a738f07e343683b9c8daea094b3647e238fe3cc842ab2903861b9e74eccaff49b6e38000074d0ec8a299dc59953ac0e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
14f6dc5e119bce01a329336be260b7e1

SHA1
b956bf241c3679d8d6f7ad404171dfec611c47d5

SHA256
d3ba8197c4f7d786132fef8972db3559c21140acf8fe8c47d15d7cb34057649e

SHA512
b9f921150eff96c9f4aef7591279aa0d68fee62c3075cbd8c631065b4a7ebdc03cbd640bc255b246a21752b7d9700b770484d0221386179118318ab3e1e74f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
e5eb4e1a95d763d41d8aed4d95e72f69

SHA1
f4b695a1271abb70827d8ad51e188f89acba7956

SHA256
40e320807b11327d7cf0db32ad24d488416500a1a13c763f3f5a546ee969ece6

SHA512
382b1f6a500fbfae01997d419ae10025499d222bd847748b344ea444800657ced3bd8ea05e128529ca66f26293b793c3bee8635c4e6292dd8541f61c036ca8de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
9e9f8fda65e949ca938fcfd4991b6b97

SHA1
2ac62c0c3973351f068b614d6778287ab02df131

SHA256
e2dc302fba6cc55ba6ca19ab6a5751572de0ce027fbc2c0b64c66615907a9178

SHA512
4a6b5d573173c3714bb8e3b60a68749d9f16181e4d3fe033845c20dc00e523aec9d598946a071eed92fcb66afb6ff1550da0d72e89a3d11dc24941a898f29259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5799ee.TMP

Filesize
707B

MD5
c67414a1f2f5344b61bba0b7aab9aeaa

SHA1
8a3266fb8b85cbc6e7de7ab0ce0636167e1704a4

SHA256
d9e218a5c209cb0f32e0eb0a18be92f7160374c292e56a8209223ff50652c1e3

SHA512
d14889b0ef486279c440eda6414f8572e3356f57dc4945ca2b0c990c736a583b66bfb3205a4c5d7f63b46404a9d1651575f2ef037f7a9962bc45d6b450dc14f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d81f6b24e4bc5256227bbe451efc42d5

SHA1
4bda1c640713594cf56b2c41230688aff6d342b3

SHA256
86b3055538dea74e16bf8722df8232dcc5fb0340f6ae6228347b05ba85ebd202

SHA512
cc833173a61f0e1c9228236c4a409e832c0935169be231c8b0d76e9e03abd83749737f52add0b4b80d412c510de5f647a8f13cc121c0eab59bf5bebe5cf067d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23f79a3674c645690cda4b50a2728366

SHA1
798180631c4ed6d403135c47ed98af86fbe28f09

SHA256
3072794961006cf38cf993da1896c7b50ea0121c8f12bd47c40da6f87535197a

SHA512
6d130b4f6232ccdf1eaed8d8b4c59de6f061c597f0ffad5040ccca910f37c4f172794aa52b0e93d31ca70b5017581949c1dc008b3d9e9bd4792479d0982a105d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
455c4f43760edae4feecf6c38519a901

SHA1
2020e556c13b3d7eb7846157fe3a3f11059a4181

SHA256
f91886213094768c39177d45fd23d1fd6b2ae46285a6f4bae48a42f9be15f7b6

SHA512
2ec050f4fc0ef7ec9e366eb641eb17e67b7436df064f529703ed5619717f3a419bab27f24de885c5e667a8418e328ad26521739a6ac5de106592944781ae0326

Download Submit