3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
Size

894KB
MD5

70636117aa0855bc3ce4f3400e9a7f04
SHA1

e54330fb788dcfc70ed92cb1ed2071cc10d367fb
SHA256

3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437
SHA512

289e657bbe77ca2b7ac220724184369356515ded1478d4810ccb1246d53e0925c493a1fa02ac00877515a9d36bdd4ef71b498a9e7d08b7d93ff543465ff67e46
SSDEEP

12288:IqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Th:IqDEvCTbMWu7rQYlBQcBiT6rprG8aAh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
4700	msedge.exe
4700	msedge.exe
4960	msedge.exe
4960	msedge.exe
3512	msedge.exe
3512	msedge.exe
2620	msedge.exe
2620	msedge.exe
3348	identity_helper.exe
3348	identity_helper.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 4960	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	77
PID 1524 wrote to memory of 4960	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	77
PID 4960 wrote to memory of 32	4960	msedge.exe	80
PID 4960 wrote to memory of 32	4960	msedge.exe	80
PID 1524 wrote to memory of 4680	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	81
PID 1524 wrote to memory of 4680	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	81
PID 4680 wrote to memory of 232	4680	msedge.exe	82
PID 4680 wrote to memory of 232	4680	msedge.exe	82
PID 1524 wrote to memory of 5044	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	83
PID 1524 wrote to memory of 5044	1524	3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe	83
PID 5044 wrote to memory of 1084	5044	msedge.exe	84
PID 5044 wrote to memory of 1084	5044	msedge.exe	84
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4960 wrote to memory of 2872	4960	msedge.exe	85
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86
PID 4680 wrote to memory of 1040	4680	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe
"C:\Users\Admin\AppData\Local\Temp\3bf24adc06d4b9e4607457b62797a627222c9ea91f009bfe99b9eee078aa8437.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb3153cb8,0x7ffcb3153cc8,0x7ffcb3153cd8
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
    3⤵
    PID:672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
    3⤵
    PID:2132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
    3⤵
    PID:2860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,2576300387643341611,17469798158351632032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3672 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb3153cb8,0x7ffcb3153cc8,0x7ffcb3153cd8
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,15173051158121049546,4849924413224356508,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,15173051158121049546,4849924413224356508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb3153cb8,0x7ffcb3153cc8,0x7ffcb3153cd8
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4318708234975203194,9230509837293521462,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4318708234975203194,9230509837293521462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cf937d73c1910820396e7cc32fe842b1

SHA1
f76a0ddd82c6bb82a81bf1e961de391037d088b3

SHA256
71e658c450382a0aac22052a1266abd2b5726124918a2721c6758ca306b10569

SHA512
c6cda517a0959b448735bd1902e702313b2caf469705f6e4926a9ae145beed8f858f227c25ccd3a6076851fb0dc6de8a25538641587c217a4436eb91078ef5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b137c584334afa330f85e333716beb45

SHA1
4f2aae3b02d8e90a1c4e1bc556d4f412c64b4d1c

SHA256
407a8de1ee5aae5f7c3e46b5cb1cf2bc31ffa010a9194825a16d3b14bf17c776

SHA512
90db1407aed8b76e9cb1d259a0fbcf81ffcd1324e790eb9038c75a38cf505699033ac8718c4b99c1fe3ee363d1597e4aae24cc699e8f5d3c5100b250d9299404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9704f801525c5b84f8d35204bb2a1f54

SHA1
18b9dec3776c3a9bc16a554478167befa9e82511

SHA256
4593d5ed5a1f03c1d3ed66065ca8945388054394133584fac8a0d67d843a4c84

SHA512
6eb025454ea61114af84f7e342c58b4938ae0a1f0c47ba0b3b4b24a39a985146c610ce575d3104f299bdceb2dd870a7f6f687a974f777ed4358b08a01906f82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
496ce78a23326531a8b01d9e2e7fc228

SHA1
c1037c300d44e2b15572da770cfa4e7f6b6c217c

SHA256
658236f23d2a710fa9495025d940cc66743286e72471d60f829e7e8cb7e1d07f

SHA512
28c0224ee07af986d5d785f5248d0551206a4de3e03bf10155d2a4e18112b076392c19c27641406bbdd12ce515f542bd04f951d81cce2511afb295829b198a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
57e2c179dd573a4d04c3b7cd83579ec7

SHA1
9b6250835b3e8a962043f6110a9040e92580ba17

SHA256
e074c4cc5a753648956091b0802770f299f3fb678e0ff4224122c48ba17dd28f

SHA512
31bdbdd2b3876b11c9c3fc4b378fa09d55bd57ea07a01067e9c462089b8d7c8b03f4a9b61c94596fc3dfbd3abfa0bb3eb8119f4ab72eb3b60b255764ea382d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
717a8e24edf24becebbb414a4de50461

SHA1
deefa6079da07cdbe61cd67198ddc4a587e27562

SHA256
d2686685a91142240ffe9e411aa3cbb39c7510663b7527cfec2e0aca218590a0

SHA512
db4dabd6d8e120b850570b9a75b3cc4ba8f0a824e297d03003b05437b90f327159f5db36970d8800fb9616848eb191489567c86736b7a5fd7c46ba1613ef8af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
ea7dd3eb5e8106a8044e8c11e6e563ee

SHA1
436f745c4127573923b1a93298bba39b17eae535

SHA256
84426f2962926d4408b14ef900fea5f81d7603f01880f86d2893f2e817ce6da5

SHA512
9a709328881de12544bed5b3e56851788c6d5a7beb5b090cf75d8acbcf42d0ea30062c4ebbd6c442ed92628e7c62977265c3ef241c803b2e0a4581ab619251ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
7b5f0573396f82740f9b317d4ea330c4

SHA1
fe28b93dee37aacffa32a8c5c357c8286c5d22d6

SHA256
58d91fa8d9b3f56d5687a50912ab8c9502ee8b178a883ab65a228728684a884b

SHA512
78ee31dff82adce95a615f7ab1b70edf68ef8317408a35abe3004acbe21b5378d7e4b34f1a59606ee08818837df91ee8fb3729dfa14d05968f476353fb15e181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b17d.TMP

Filesize
707B

MD5
b56d255b5db6ced888d570595ff37ada

SHA1
ceb09a074201d781232503a8db9283be5d2ca179

SHA256
5d31c7b5d7194b669256feb713caccde3bc1b33526b2e4d9ae0baf872b8b930d

SHA512
ab0b557a8d84b68e7e330b0cfb3bcffb26e73b4a6efb335dbfd261df32e6423c9d7555529159a1ea002aa07158b430d9ca6b278c5aa8b3cd650841ced0c8db44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c3bd5ff29b92cba07c01af442b67b273

SHA1
827a420bed32491dbcd411daf36919b6bd2b7e0a

SHA256
c3745d3ca2846b0c8df0955b6f75a9a4dfbd4921d31a2db54f0036d930af0e45

SHA512
fc41774d89757700a8f31d9e6fcce5d2d66bd16c820e087ba3ebbeb5241973881a8e3c3e3665d3f1e66130706da713c6499634c481d75d6665ff38879afc6e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b53176467757e944c38aab1bfe153827

SHA1
6b1695032ba50405584c9516b32f771253415fb7

SHA256
923d73943d4fb49a232eb24b435226babc7cf52070ebbc8436c58a0360e77b6f

SHA512
76e5baea3d88d9450b6c90aa6e75060b3b8a0c906eea3a4dbaea6dff7e46a74da5b6eb0c47f510876bba5dca20de8b86a5bd8d400b3168061ec70036e0d2d5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86b8e2fe5cd9a022e084f5f719a5735f

SHA1
502bde151e7f53ec38e71ecd860831677d25c5d5

SHA256
56539ae8df484a094d6c6207437a04745602d5784e983ec0cd0b244c901913a0

SHA512
66d635e79e112492ae60164ed87dd66fd044d33e68c2c1c4cf4f9655796fb39f9d62c6d02546c42c9abad1825e1d65a8283f4ffc4a85a9437d555861fa599f54

Download Submit