9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14/05/2024, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
Size

897KB
MD5

f1240940daa14acaaf19db9d7fb7662b
SHA1

cf873038c3df59e534ab046edde9a2a4685db429
SHA256

9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25
SHA512

1ac545b1e0bdd5cca8d7608b979bca8acdaada84c907ffdd8393be318c1c92f43e525ebc2701f1520855d5ec28d28b82d2f6a77410eb91c37e95c2348650852b
SSDEEP

12288:uqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga7Tm:uqDEvCTbMWu7rQYlBQcBiT6rprG8a/m

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2784	msedge.exe
2784	msedge.exe
4548	msedge.exe
4548	msedge.exe
4948	msedge.exe
4948	msedge.exe
5072	msedge.exe
5072	msedge.exe
3632	identity_helper.exe
3632	identity_helper.exe
2500	msedge.exe
2500	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4548	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	80
PID 2312 wrote to memory of 4548	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	80
PID 4548 wrote to memory of 3476	4548	msedge.exe	83
PID 4548 wrote to memory of 3476	4548	msedge.exe	83
PID 2312 wrote to memory of 4568	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	84
PID 2312 wrote to memory of 4568	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	84
PID 4568 wrote to memory of 2152	4568	msedge.exe	85
PID 4568 wrote to memory of 2152	4568	msedge.exe	85
PID 2312 wrote to memory of 4956	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	86
PID 2312 wrote to memory of 4956	2312	9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe	86
PID 4956 wrote to memory of 2968	4956	msedge.exe	87
PID 4956 wrote to memory of 2968	4956	msedge.exe	87
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2756	4548	msedge.exe	88
PID 4548 wrote to memory of 2784	4548	msedge.exe	89
PID 4548 wrote to memory of 2784	4548	msedge.exe	89
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90
PID 4548 wrote to memory of 1284	4548	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe
"C:\Users\Admin\AppData\Local\Temp\9c26f68d77fc1cf9163d4b8cb34fa30c3c78ca7967b61f319534e49011940b25.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc9fd3cb8,0x7ffcc9fd3cc8,0x7ffcc9fd3cd8
    3⤵
    PID:3476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:1284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:2468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:1568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5540291341888103388,7274164721059417889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3000 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc9fd3cb8,0x7ffcc9fd3cc8,0x7ffcc9fd3cd8
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,418656057111300453,725785810532355805,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1752 /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,418656057111300453,725785810532355805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc9fd3cb8,0x7ffcc9fd3cc8,0x7ffcc9fd3cd8
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,3354722937477957177,4111836243589115628,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,3354722937477957177,4111836243589115628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
09258ab12dc9431500175e6e3c77e615

SHA1
723e985bd3897e09b522b9f2de5f73d0a410a4de

SHA256
2423c8d317dbf552ca73601ac18896e3ee664fd86aab8c6cb05e5656b9a0e04c

SHA512
3a6db92e7e06a06b19d48fd9a2f169f50c5bee15e76b2ef9832639acd05b961fb3ce11f1660518ef24d0768660f2d854986abd86fb1926920726eca9ae31fff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dea028b12caf4ba1c0dabeb418eb5c2b

SHA1
cbe831d54eeb298bf28953f829a86c73e93f7611

SHA256
eb0917491f7cfa773e8e58cf487e86d1e737227c14b635fccaf3e2e59472711c

SHA512
e5488fa76d243679eafbb282e9cf58cc0c5e48ec3535c1a85bea508c44612ba986be91bc5f35e59d1bc8402c78af8c5796e1bd153b5094691500ceb38aedab3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
56c3a7099138439b1d8af87cd4ab9bad

SHA1
3e262c1fb70dce0f24dc2e489e5b3f3b57b03632

SHA256
d5b99e8001bcb3690ade28b350190a6a01007bb222ed83a9054d23c5424f0ab7

SHA512
9033ea1e55ba16cd348fbd4f2dedaf70b2cff2d152eedc1f1923b1c3a5e3d5a88b40fa9874f7d40cc84a23b0c2d3f527cdd01471734ada41e4ddb1b67524283f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d5ea9014c81acf9a01a017e4b6d2ae10

SHA1
be1158d4775ea5197b9bfe877b506c8021f715ae

SHA256
2c753c9d5b9eafd500a65e7640b6258016b0d61ae8da3e48c8bc442652b1c235

SHA512
2ac658309c9c2b4cbe550acb2a4eff23312f6748aaf1f8f4298c98f3d3972eb03db9adfe0d08bb06d621c8811914c8fd416f946eea160bbaef31fff56ead8abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3fd942d2baafee0e1898bacdda355b3f

SHA1
2e6a05d3de728bd23c6cb96ce9b04490a0e33030

SHA256
21cc41347377f7ea18e5439e4e92284a6738f2c3ee44a71b4e3e07b26af1045e

SHA512
52b46a7c73f3d6bce269aa8a55f0fa69fcbb4170568f6229c4a47e289f6c29899876ff425cec3bb0fa4c4b5db88e95bec8e396915a96930d588627d62776f7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
362126cde26d46817dfe4bed529fac16

SHA1
e70dddbc17a18c9569c9837b85faa78ed2b0ff52

SHA256
4b953250a9f30a9a31078af3942767d168689ede95c93cdeaff818e6d9a2cbc6

SHA512
906fc1748cf2f9203b01558ced8303526f60bb113bc18694390bc6d58c350345153caed36b81c1096138dff16fa7014adfd0b4400fa52e3ada9eea46c66b6494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
97517b236c1ff4903b77aa40b9f82db6

SHA1
6483d35131809653dc5ca8dc8e6514f40f532a7a

SHA256
7d5da18c4a7d17abdb7a828608b78c3c96bcf9ae2e1c4249ceb58fb81c9d5259

SHA512
51735a4f77ccac23c93eb0427a5c227616c92ec2ea054f4608e9964194374cab669dfa2b84dd09c69b9159048d37d8e6f48c2fe289c315ad66102fe5cf656528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
4efe04429c4f27a23867173926fc2999

SHA1
fbc66a31e8ca3814c3e3400f3555b2467ad2e61b

SHA256
055413913587a12af3d5fb196c7ef16308047e4a07d0d31a0ff5dd24c98a7cc1

SHA512
8a716cd003b318283918019d9a3c09dc512bcd7b183058bc550a94f32923d2ce588fead12622402efbb2429985a41e0b0a4dd659cbed91c90908502947e49d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
e89966b4e9240feddda942b6106c2cc2

SHA1
303e31bfd4ce6402a789cc56641aa754f6eb390b

SHA256
fb42e7d1190bda8aafcd3aa0482c0eac486f79ca121c216818733d748cf1a44d

SHA512
4d36eea21a7dce250b167fa68e000acd2485b40bbfa06573e76f44ced8b364d830ebe6ec1d4f7660df4262ae6d1fd963837a2f9fb66b156ca757a7a0997f08d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cce5.TMP

Filesize
703B

MD5
14af7993d83227c6b82dffbe2cf4da85

SHA1
4760f62a4afae084911a9b8d27e20bbc5a6cfc1c

SHA256
7ba55dd2ac27d0e628640ae1b93725df5ff827968f13d3ded4669b6c7219ccc1

SHA512
2ff485ea876ee915af1236904cd91fc22bf4cc206fabc2f2c7590611c151740ac14ad2af4c48d4bed6696894c80810641a89097ce7695d0c8cdc79b5dfa76436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
47c1b0cc7ce22acca1e8d738921940d3

SHA1
20771a0f708203f6dbfe784fb918d8a441b2de93

SHA256
e467f6e4fbfdc1971b8ded55b0763a2f20acafdb706442a31585bc8355a30b31

SHA512
5e47acd18a0568e4073d36b3dfc250871e054354ab13f54e828f90f926b06152df90a5d90a364b7e12d8646ad23acb120589ad7de0261342a0f36b9e33b2a431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
834c4025aadc2738af678856764deea8

SHA1
2137ec6417e635d211792b3f466eeb7794bb2e07

SHA256
1df4722830c624797a8592ef523da9f53c9e8924a4c60a55771341c3bb281d8b

SHA512
c153696f6c36478cdc1073d331e875791d0003d0ad59faa7c8cb76a7d2a2b6f098cc7113607c7cdb895d833deb849531bcc848488552040bc8be9f943ab347a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a94fe903e8d1b8d5462ce36555ae1ef3

SHA1
3365f56b3dfa452a710754ae613f967995c1ccef

SHA256
f4ef5f6f56d31e2f04550f31e2e5ec72a672cf1bf82d6b7c312f71f3feffdaea

SHA512
338d6f9b69c52a8a3cb53b96305bbd9d8210c8f0c85080a9990732e27938227ef199b39ec06c27fea854035d999e6a5f5074f2c8843cf93683e6b82b5fe363b8

Download Submit