da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3

Analysis

max time kernel
146s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
21/05/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
Size

894KB
MD5

f16fbd1ca76a783a1333c3b5096dc613
SHA1

b6a98b9ea4f427a645e6503350327347786636ee
SHA256

da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3
SHA512

4a4362723ce740bd76230acb88f83755c63fa7ff5a872f9744285d4edd54902466e8dffb676d6640e946f2fec7740b1ed42ec35c8e661c53e1a4ce8e6397a8d3
SSDEEP

12288:+qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tt:+qDEvCTbMWu7rQYlBQcBiT6rprG8aAt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3564	msedge.exe
3564	msedge.exe
916	msedge.exe
916	msedge.exe
4184	msedge.exe
4184	msedge.exe
5060	msedge.exe
5060	msedge.exe
4832	identity_helper.exe
4832	identity_helper.exe
1000	msedge.exe
1000	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 5060	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	78
PID 3408 wrote to memory of 5060	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	78
PID 5060 wrote to memory of 1628	5060	msedge.exe	81
PID 5060 wrote to memory of 1628	5060	msedge.exe	81
PID 3408 wrote to memory of 696	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	82
PID 3408 wrote to memory of 696	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	82
PID 696 wrote to memory of 900	696	msedge.exe	83
PID 696 wrote to memory of 900	696	msedge.exe	83
PID 3408 wrote to memory of 3060	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	84
PID 3408 wrote to memory of 3060	3408	da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe	84
PID 3060 wrote to memory of 1676	3060	msedge.exe	85
PID 3060 wrote to memory of 1676	3060	msedge.exe	85
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 1904	5060	msedge.exe	86
PID 5060 wrote to memory of 3564	5060	msedge.exe	87
PID 5060 wrote to memory of 3564	5060	msedge.exe	87
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88
PID 696 wrote to memory of 1000	696	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe
"C:\Users\Admin\AppData\Local\Temp\da4630dfea79b6b7003ecca4174f484649be79c501665df88d4cfb95310034d3.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd88713cb8,0x7ffd88713cc8,0x7ffd88713cd8
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:8
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
    3⤵
    PID:1392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,9693334351934251064,64125505019106869,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3276 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd88713cb8,0x7ffd88713cc8,0x7ffd88713cd8
    3⤵
    PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1609267341413903748,15635219902198708403,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2008 /prefetch:2
    3⤵
    PID:1000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1609267341413903748,15635219902198708403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd88713cb8,0x7ffd88713cc8,0x7ffd88713cd8
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,9999358870103212276,6032856077700220877,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2004 /prefetch:2
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,9999358870103212276,6032856077700220877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\97ad07a3-3e6c-4324-8bb6-5dda53d68e1d.tmp

Filesize
8KB

MD5
22c049ccdc7a0bbce83dbfb1d7d8d26a

SHA1
f06a0828a19c4688952d15745e481e35c7b29464

SHA256
c939d1780962a777345f17039f85467aa4cbf7a2c21a96cadf441706e44b43e8

SHA512
6533385ec295424deda2833cf5f0e419d466fbe27e5979ab5b6a8fbb86109b67ace9d6b85a94c950ce6cc58719a33475acd8378b5c9aca6d5a4d20394665b119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
464bcfef67efae48867061da122b3306

SHA1
ad82173a6777207098582278d4f6719dd332fe3a

SHA256
be6a5aee61131e108dccf05bc0decb8af6042192cf9c024a072294056ca58f15

SHA512
13463ae2344a7d58b5ee0de9aecdaaee77a572b4edca984f21ced87f022543e6a105e8bea2d873c4c3f64c65019623637f2f75306b1c9378aab8c17e374d3dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
71757c869611c205d166dbf835010154

SHA1
a7e739d378b4ee2b7afd321cd3db42187037201e

SHA256
1bef19927bd4adc898f14ea4073e95483cffbc9bfe86b31c74bdab9105f27115

SHA512
18cdab199e9d10d1067c296fc343fc9f153345a8be30ceeff41cd8b31e39531c3251be09f1a7f6ac4f99440095766c0382a22491ccab871560d6df919d6b1c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
31a007c4a983f6a5312ca32f7b669b0e

SHA1
714651827f559a9413ff691c8330cb58d797845b

SHA256
ee7bcdbb8b094b18b3b072fc1763e42ac4c0164ecd28052cf48b15a7f62ac338

SHA512
6aeaf75ab2a750c1c05b5e06d4a4ccb81725eb38b8d2e4624e9f2c87b736b6ba483ad326ee464d378378c415fd727dc966402511169637d3b44042ab2d29c00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1631fd4ef6b98bd45ece2b0444e88663

SHA1
5cac3519b549c15232de12cd276100081aa32070

SHA256
42884d36bf9004dfb6df422533eb4f21997a86e80e962c262af08bd0be44779e

SHA512
ad981a40957377928301b624c6e9a4ad2c807df7e77f49d8ee79adc6a787b93b65f1c3d9803aac93eb1e03c01e1749f2d126e28fd07436641a75ea130ba53911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7dc7ceda84885a2fc3975d3cd728f86d

SHA1
b7de8caa87b4ec6c8a5faf2a6fa4aacabf699f9a

SHA256
0111f9c0a3d3c01f0dc39583c65d317339377cf3dfde81ad0e136e4c6f060b67

SHA512
b7e789bbba927fbba7b0862726a35586e118d61e204a8e63a7b00129192be877ee17be9fb60990c0518795e20dcd918eb46cf686c3b1cff74cbaf5ad53d2881a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4f0bb6d32599f9008deb6dc4255c797

SHA1
634bc181c50e8b652ea3230418596b69e105a61f

SHA256
5e3b68bb379654de8e6124635062abb366ecd6ae901cf49d1fd9a27cec422ee3

SHA512
fc26900f2a333b84beae8bd8c38bcacd45c721f150582e72dffaedae72c8efb4cd457a92052e0406d9101cbe0f71e585ea53874ebbcf4a3bbd299d87bc00cf43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b9bcba802c80fb8e5f8b614f9e749543

SHA1
a6ddf64603e34bf9fd50110ae4f94a025033b1ae

SHA256
0d2eda3a1e87daeff9794a05453328060cb8b9daa91f9535b207925a074b7bb1

SHA512
6fd07b4641b56ed9712644cddeab4366348dadf9c29de2fe3c136bc529422e902cd0e2d551b8f676654133f8fccb0221330781febdf833fa62972c3a585bacbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
f02fd8ee183564d77ee28e9d28ec317c

SHA1
964029116748199e36e60bc0878dee9f49682074

SHA256
a77cfa8b077a24cfb116999512440d8c49819bedd420fd015c67998a5b4f5d8d

SHA512
b87a1b74aaa37a7116a8d6af7b918ac8eb07e908c700827c0d738e9134dc941094c69c7425665f607f278a450f8ffe77eff7c1266d83cb7bfef6a0794b1b97e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a9e461991221c42f64d03739fda8180e

SHA1
b48d472040e71c1e9ea66cbfa95d6d4519929843

SHA256
55f274f3d9649457ac881c05e4a6e282fe60f328ba2abecbcd8434581090441a

SHA512
dfdd4e3f95b8352a2c93ffbae3622d5c5be96e01ea722b0307c07379f43cc169216272cfd1a13e174920717f346d02eea5c02a1487ed399c929f097a5f727dec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
55f681129537c07ffcbe835eef91f916

SHA1
f0f46a9307cea5cd3de7929cd253c131afbf2a7b

SHA256
064d220fc6465759dd5190d450f0961223bb8a080ede5e157eb3fed49e6c89b0

SHA512
d6c0bd6593f8ea8675a52df2098e947d84c9937e760d9ffea1ee166fbcf6a8d0d69a78a258f33b6015fb4daefecfffeb213d7790bde645ea9d2a2e9f18371674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579635.TMP

Filesize
707B

MD5
3a2f3eaab27265be0e115466de564602

SHA1
5c952afbff20c4245f664dcda7a02870e23dcdd5

SHA256
642333a541a80afab2f13e9766f9acd1807cd0fa5eaac4d11fd3a3351478dc52

SHA512
b2409f5d5009382a46ed1008a61b8537394d5045af14f0fa53f412b6c1a4bea5d8793ed807d4f0280708e387b01fc6df64382bb706e8a27ae26e0efeef1bebea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9b773314e02cb3d6d1c7326623b5e2a4

SHA1
9fc34f6cc34e925e455cd8bd8d939d649bd457c7

SHA256
570937d1fcd64ca2976d0d36ca9939d479f0bb5af30477416681a1252bdb5a3d

SHA512
c67fc4c0c7078a531ee1ec944c735335462388613b2a40be6a15c1e81c91ed4214e50f19f49a67fc22e5e95f6819a47be5b8657fae005950c359b8ca2910b618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e915b1241e65a0b69e16ef81b4224f1

SHA1
ae0dce7dc31c8327f1b25c3f5fc5b427cea83fa0

SHA256
02752b5d1dcd2dcd4ad215580381f626b88f95951dd202a02ab57f02b9fc2c1e

SHA512
94afc30939a1c9f0806d79e9224b572c5e31780b6ee2f9f25e0ce229d305628fb1f8e6b63e05a01f1535bcfb9b42e104050d0b7eeee822d6f07390ba0f42e2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
932ac994e887d1502c294784449cb4b5

SHA1
6ae89f2e1a3cc715c51b9fa206aeb67644c1e045

SHA256
cccddaf5cc5ee85672735a12f3f788298c9fef7ecf04a3d8907b0fe0d296511a

SHA512
3515d9abe21c6522421bdb85d22206af40d36f8386e6bc3465f69c27c37f86c722c6b9f095dc4578ce3b572f530b14bfc855193ce15c4fc899d474d593df030b

Download Submit