b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58

Analysis

max time kernel
146s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
21/05/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
Size

894KB
MD5

20822cf9ff71c5db258373523edb25b7
SHA1

34b40f65ef87ccd0435e765bfc505054fdec4299
SHA256

b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58
SHA512

89da892900c21149be669b6b64551fddf8acd78d0185e25920bad59172e147a46a222a1c0009c4afe62b14be20c2b2de402eef98a267b298d9627d31224de6ed
SSDEEP

12288:VqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4T5:VqDEvCTbMWu7rQYlBQcBiT6rprG8aA5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
804	msedge.exe
804	msedge.exe
2192	msedge.exe
2192	msedge.exe
2508	msedge.exe
2508	msedge.exe
3100	msedge.exe
3100	msedge.exe
1620	msedge.exe
1620	msedge.exe
1732	identity_helper.exe
1732	identity_helper.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2508	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	79
PID 968 wrote to memory of 2508	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	79
PID 2508 wrote to memory of 328	2508	msedge.exe	82
PID 2508 wrote to memory of 328	2508	msedge.exe	82
PID 968 wrote to memory of 1964	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	83
PID 968 wrote to memory of 1964	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	83
PID 1964 wrote to memory of 4660	1964	msedge.exe	84
PID 1964 wrote to memory of 4660	1964	msedge.exe	84
PID 968 wrote to memory of 4348	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	85
PID 968 wrote to memory of 4348	968	b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe	85
PID 4348 wrote to memory of 1184	4348	msedge.exe	86
PID 4348 wrote to memory of 1184	4348	msedge.exe	86
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 3724	2508	msedge.exe	87
PID 2508 wrote to memory of 804	2508	msedge.exe	88
PID 2508 wrote to memory of 804	2508	msedge.exe	88
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89
PID 2508 wrote to memory of 1084	2508	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe
"C:\Users\Admin\AppData\Local\Temp\b159c429c3072e1e9649127d637c770082e68ddcd32027beb0d1349c636b7b58.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff949d23cb8,0x7ff949d23cc8,0x7ff949d23cd8
    3⤵
    PID:328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
    3⤵
    PID:3048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
    3⤵
    PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,12922736413930891459,18167845116952261334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5924 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff949d23cb8,0x7ff949d23cc8,0x7ff949d23cd8
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,7218647933406665566,13396986099698038755,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:1896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,7218647933406665566,13396986099698038755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff949d23cb8,0x7ff949d23cc8,0x7ff949d23cd8
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,15097708305637306328,9478425114266410301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8a026573-c873-4bd0-b2c9-23affab81aa1.tmp

Filesize
707B

MD5
765aa433b20c4c11cd0c922666bd268f

SHA1
6aff00a3f3f854bc3d1a1ab246d1092561355228

SHA256
79789dae8aafc9c0b8cd2eec1cd40116274a20486d9c073a2f7964cd315fa877

SHA512
dc0bab2ac119b1ba80825c5bb5f2ce24a28b4a666d363940b98261bb187f208a4f6f2200cfb28a2e0187fd0689c5a33d49b77caf629c009cde06c497707a69e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a31586ca684117e2b596ac17c418e3a5

SHA1
b86ca36bc3341127e578056e8e38a2c43acb6965

SHA256
ac2301fe2c168a8803bc5ebfeef84f2ad48c17c1ee7431b08d588144745789af

SHA512
93b5447457adec7af3f456a8b02d5c1a1bdaf136b46105b3929a1377678a1bc0efd03447353e9181b12389efddddc52296f6c9a014df24f28b09c3647ceb4e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
139277e7cba5c1e0af4d6967ba7b64da

SHA1
a5a0456a15a4b174fd04c21e392bd8f1c01f70e4

SHA256
5053480a3c460be37b9c44c528dd2f5c1f7e9e335f0e0b3e885c0cc194c946c6

SHA512
59c450f91712e94bcf6f4ea3d2c1f7625c4c9cf3565e5c40f505fedbe32811c2d476ee41b2b6eacb56c26e11ce8c6a166d568e27101c379f0a04c9c7fdbeca4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d83909a0800456fd5e0fbc609ca9a0a

SHA1
f1aa6c5d7f843c141da97c9a227f5b86301bb147

SHA256
ab1c68346cb21c339c08fab45ac1be3cfb2743a11b7c78504eabb641166f00d0

SHA512
6c5ee168189298e74d1124410d150553eb9ebe2367062cf0568f06d5a870c86e7c1449222b12711dc3b9caa71eb3914ffd1ea1574991a77f25b57ef7cad00f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
35b9e1993cdc62848790fc51b2365f44

SHA1
0544cf4510fdc70da10fbe10e240dc5f1de3cf4d

SHA256
1d328936f5b908ad56f308b521043c9a5b22effc683e10c47aff313ef4993942

SHA512
fb89476361357d93174e3f4a64a2d26efe4a21dc7c12f0838135bbb61a15622ecc72b98ed18aacdadb1ae07f4bbaee9d0e03554d639be1ecf5fc9e0181a2a743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
cec95cc5e27388620a4bd145893baddc

SHA1
f6598847495f1b6fd9ac1eae621695d08b116da8

SHA256
6aa855465568c93be4e7b1720c7fdc3bed40537945e3b179291bca3c21b35932

SHA512
229ac18a78f734622f34dbe34518574dae4b48dbbcb787dc69fc2c291292a873a8d40fa61208708ac8979ff07363c473efbd670a79e1437caa618bca0170b91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
ebd16c8cb29411d3d6e425fd22718284

SHA1
9151d9b809b173244ae838191f9cab892edf8656

SHA256
1f0f3592e64cc995aca9d1f3687cc34114898b06dbf309e5d564c8a77ecab97a

SHA512
eb03450ee2f2faefd034c10fcde2242ffe16ab8d39bc1a3ed312570f0279675cf5258b891666c91bb0257ec4b8e4f59f92159a522dcc07a2d300b63016bc3940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
06ed0abbe0516861b3b44f872ae7ad1c

SHA1
47957f37d737dcd1f02759f4dc814e01fad602ca

SHA256
28c7c91e2323351d7f5175bd29419d32684af7f2710d0cbbdb9fa881f330f9b9

SHA512
058331e88e9c7586f2998253a0cd991baa3003e01335ad3b7f95ad843f1726679540f7836b882f5a5d58d291acf138dcf2da3d2013b1e37cc72a07cb9e92240d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bd16.TMP

Filesize
707B

MD5
f2415ccc9116f8b2679048ad9c91366d

SHA1
49c522e2e8237075851cdd4c61dd39b804ae4968

SHA256
b7f0f40df0c09f02064c56d2c87f360b9929191cbd0b473604bfe920cf0b14fa

SHA512
4e3fb70ff19bdfa7dacb26024f2b6ef6e904e1fd2d4f775f5ab310aca412cd293c5423ce07f0393768ab9e4b035ff1aa5349d25c2ad217f0347aefed9c662772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d08add4c-2afb-4b0c-b6e0-262e51eb9616.tmp

Filesize
2KB

MD5
2b948e97a6b6df4c434cd92fd107e7fe

SHA1
3dc3a36e6f5300c3e7550e5fad7a2aa5f05a4aca

SHA256
a5526973da8693f57ec907d71b914ec76bd787c5f7ead6f6eb7044e2f7f97fa4

SHA512
289873c0cc8da2379afd900e31ef6be054f8933324cad354901e7f0288e9b2f9ae809c49364778814a79c54d1dafc83fdf84dd1e9f7acffbb9d0de3132acf671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
75d3f32d4bba82184c251f9afdc7468b

SHA1
8b5336c2dc96abdca8ba352edc119d698d131e30

SHA256
baf8e37684fd87b0850354e88af8c36d08e907dfafc2c5ac9cfb2ed9cfa269eb

SHA512
bd2037ab92e41ccb928cf61f864475a962c1cc45c44d5c9c4c5a79cb222104074699347c5896c342b954c7ab553e83a6a754109c7983be79fd066854c977d390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af0fa09ab7b6ac4e236c93fb670f01db

SHA1
913c97a8ae34c6dc26ba702d1ce4a23861a27bcb

SHA256
a8351d2b947c43e3774929d63e11e31d597b66d5f7d63725c4343a2a21e446f9

SHA512
84f5e9f2c578ecced4585da6d15a0e9e0b95e49cfa62cdb7ff083b4c557b184e3f613234f8023db6c5a17547126f3ed4d4c67a58ae0dfeff04b9b95587e54c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
32eb652f84d3ba82c3234ec324c6ccca

SHA1
d402fdf3587a94cb23877ac39b4c7147ba402a37

SHA256
ed446ae4e5b41f6a4dede85cef77974a05576ee94b903f8058c5a392b776d4f9

SHA512
43bc30e3db5f4bcc754251e50085c9e1148e496ce15731ef49740bcbf4f585dc041697527b40b3bd6da24c19f508ae834e5a304cfe416fd9695cf7a55e1ef544

Download Submit