5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
Size

1.8MB
MD5

cc7742ab2912d546790d3a2031142714
SHA1

1daeb40199664eb09f59432130da1529d53c7052
SHA256

5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd
SHA512

b5f519932c6f70fe3a09300ac7be51013ab64e58124ba4a584cfd9473f031b4452aeed6c25c7ed456d074375d01e0a51aae1a7b8ddb38d33472389cbf7c9e1a9
SSDEEP

24576:m3vLR2VhZBJ905EmMyPnQxhe4RLwvHYgUBoHzC/hR:m3dUZTHlLAl

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\E:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\P:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\U:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\K:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\L:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\N:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\S:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\V:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\B:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\H:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\I:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\J:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\M:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\O:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\W:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\Y:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\Z:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\G:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\Q:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\R:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\T:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
File opened (read-only)	\??\X:	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2568	msedge.exe
2568	msedge.exe
1624	msedge.exe
1624	msedge.exe
2360	identity_helper.exe
2360	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
Token: SeDebugPrivilege	4348	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
Token: SeDebugPrivilege	3564	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
Token: SeDebugPrivilege	3564	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3564	4348	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe	82
PID 4348 wrote to memory of 3564	4348	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe	82
PID 4348 wrote to memory of 3564	4348	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe	82
PID 3564 wrote to memory of 1624	3564	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe	84
PID 3564 wrote to memory of 1624	3564	5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe	84
PID 1624 wrote to memory of 1256	1624	msedge.exe	85
PID 1624 wrote to memory of 1256	1624	msedge.exe	85
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 4312	1624	msedge.exe	87
PID 1624 wrote to memory of 2568	1624	msedge.exe	88
PID 1624 wrote to memory of 2568	1624	msedge.exe	88
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89
PID 1624 wrote to memory of 1376	1624	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
"C:\Users\Admin\AppData\Local\Temp\5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe
  "C:\Users\Admin\AppData\Local\Temp\5a4af59a566a12f3bc65d83a9c3a9a6215fe82819586896a6b538105ee00f5bd.exe" Admin
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb82dd46f8,0x7ffb82dd4708,0x7ffb82dd4718
      4⤵
      PID:1256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:3460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:1076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
      4⤵
      PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
      4⤵
      PID:1912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2645987650300991066,10444923666552517435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3404 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
44427d742a14a8cbe1c715642b40328f

SHA1
67c79099927db52c1419fe81aafe84cbdd290030

SHA256
b8e8e8237e8bd74cb654ed9e4d1c6af0d96b089927112904e757dd98602170cb

SHA512
4516337ebf312b039c7e527a88e704f1311aa2e10270b5bf4271ca2a6e17bb31c003d05faaaadcdda5938dd789e7de8e699e0694f648d9d71196f75f3f1728a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c64dabc848854385b0e9b30fe429dfc7

SHA1
ce8e80db7b0a7fd20f9b25ae475b7a193f0066d2

SHA256
c4e86344c6de729f249fc2e46753a02961fb53914b0184e28f0b6de9a96eb144

SHA512
84fa2c2426ac1ddae8f9bd4955636398ebd413a6e2bec2d7ef4631b809e13a7686ed32ee9eb7dd391c1c1fcc65cc4a7f48d6c75f30ae1131e7bff939b5e17343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94ef0d0a3ca88ced8463357621ca8176

SHA1
417b6f4e11a4aa3fad68122c748fbc917268597d

SHA256
369e05628998fb499faeaf72f5d45cb76ac8279e71af474a69d92cbe1427491d

SHA512
b53cac342b796742b70495d6069568b4b8f7f994c1ab31ba8bb6ab254589aedd3e30d08c015abe7cb2abf6d87266a0f274f8716cd887e9dc882995c3e9903400

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
memory/3564-6-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/3564-5-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/3564-2-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4348-0-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4348-1-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download