5675a5b4a43139607b4ae939b3a059623a30f4ccc0704ac523ab43cc08affef5

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

redirect.html
Size

6KB
MD5

418799dde46a523e3ad86de729d4b489
SHA1

5bad5304391da7123f127f38a94fce93b7a2ffe2
SHA256

5675a5b4a43139607b4ae939b3a059623a30f4ccc0704ac523ab43cc08affef5
SHA512

fc06c52dec2e4472d875dd29bd9d8f3b15a03f5ca5f5a7eff48c0a4e560a9bc08ebf8419f3d0caefbbee83e2e2b6b6a3aad9adece6f583f536c03a9a7c327fb3
SSDEEP

192:dHHLxX7777/77QF7Fyr50Lod4BYCIpQO2XW:dHr5HYm0+CIpQO2XW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{E3759E22-69C0-4339-9875-89CF7D9424F3}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
840	msedge.exe
840	msedge.exe
4048	msedge.exe
4048	msedge.exe
1876	identity_helper.exe
1876	identity_helper.exe
2924	msedge.exe
2924	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe
1064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4048 wrote to memory of 2976	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2976	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 5016	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 840	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 952	4048	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\redirect.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76fa46f8,0x7ffc76fa4708,0x7ffc76fa4718
2⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
2⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
2⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
2⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
2⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3360 /prefetch:8
2⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,5735895773544729845,8480824360885689476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5460 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
4536ecd46e5cfd638db69f588b7a577f

SHA1
3b91eba1b35c0c43e8c364a91905305cb7b4ae2c

SHA256
ec7fcda75a33410830dbd14dc460a13dfa9c30d0407a58827a5cb756ba9f217c

SHA512
369fa91b4bc71629eba34369517001133431bf9a7dcdaa20e08dceb97e45250e9d51117377106a8db863366cd00320fea2b5721bd610a1221329102e43fe168e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9615f81c013887193d41ae22ed278063

SHA1
1fbb53e9356da2ff51d6b254288263e74ae861da

SHA256
8503bc49d054b02a035457e3a3094f97ba27c187de4c370358de4a141d31260d

SHA512
c14567e62000afdade1df3bd38775efcefddedce42ca0d1abed32934669f5d55c1567e3cfbb175a719b3080c2678d08e8b51f9dfe08b4bc5d0b8de8c33452c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
729a45d8309baca5c1f671f38791d737

SHA1
84488be38c2859dce4071f166b61ad1dbe99dcba

SHA256
4c8e70b1d523966a2baa51f027170f2726317f5ff1689318f891518d25573c12

SHA512
7251bd368ddf194a5872eadd100f97e4fa2435cf8cae4b24e703de867ca1ca8286f0b4ee0f0aa5f4d4986b4a6800c2903e5a939cc922d52aa2d45d54f364dd99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba75e4f2eb91e4463252800fd7ad9f75

SHA1
a3b1ef1ee756c2026d58d1b0f0145b3956f9337a

SHA256
ed5d0b21f697c4ff504ff47f35ed769891625ca1d03255a4bef72474f30b40f2

SHA512
f0741cf20a03713e6e49e7488deb920aad06a0547a3371a75f8f7d60854b19af50c073107845c46cb322e542323cf025990692dfc3ff3a93e4d5d7e5f599985b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0174f23eb76bd18da20b4570dfdc0130

SHA1
bb234e4d93f48fb2e2fe30e2c63699b814c9734b

SHA256
366343c6363859169c040704e1e98ec3a5aef48c0db623c54ca756f9e25884d1

SHA512
f980a656f46063180d17717c78e5f49b7e771ca714ef81041e4d8650c3916a09c10cccff439740c8cefa9d53f04b070624bbfcb807a9d6b320a748d039d65812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb7ab940b57d006cbb42e47a357ba535

SHA1
3f75a3c0f60275f38b2c4e567d3976142f5c5e21

SHA256
edfa0ddf8686a4af936528cc112038ce021ba30f19a0b62abc1883d25daed548

SHA512
ce0daf8593eb18eee4692c46391e2fbbdf3d67d3d2e48513c6f517e23e86521bdddd0fdfccded5cb4785d4b0ceeb737758abf1d337ad03973ccc3adb7867e20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f94e5ddf751a3358847781b8ef9a3b43

SHA1
da44653bf08f4c70c777060db60bf9ae169504be

SHA256
18879df6ecb29595442751a8181e98a57f7e6a1d849885c30fa771d64afb240e

SHA512
1d465b78953502fa82048764f39bb222412bc196d5587665a404fd12cd3b6e435673055f1fa54698e9ad6cec17229fea4da2b331ca93f635acad2f7ae1596ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
785402572ea2cf43c3f8f4b2a50e3469

SHA1
edb139ebde5162313c716ae4e806e8c58ce96a38

SHA256
8e41ac5d44524d2436ef33d9c3a8ed50f820c838e806176819f793efcd717450

SHA512
82ceb9775b186d7ac4a57d9e653cf738016e4fa7d5f5f9f3bc12fc1f4f58816d681811d914458778c46d7fec1f5381c8a0cb61959a55a927fabdbd0e020de2cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
589db23ac9476bc25230def88d354d73

SHA1
878e1a7c6e1fc8f56c582636f24ea25ce4eb0af5

SHA256
0ca6a4695f4b0e2e398080fa695f13d0c802566b410ad8de3c0bf812050c65ad

SHA512
35b98f49e0a87c287f51a7c45777ae5a1efd44ea28e6cd499da0e465b30b56c08e0294e131284ceb2bd06c3d3ee3919b8f80a5a92eadeca76a3f347e55bde8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
b31c0ceceb159a7cbfdbc9e82d2b1e54

SHA1
8dfa6c97d16c660f3a696de80ad159faeb075e4a

SHA256
358402ed7a2fbc36dd986be504dd4a358d22816972bac3caaa22f8a4ab8f06a6

SHA512
5afb546d5b8fc3018da89d2d801b152241d51801fcb4a63f2b73163bfca9f8fedc4e410398164a6d2bdcd51437f1f8b9a7e3fff9fba326c0e68696d1b9a01958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
8249f8aca9bc2f7acdfc48e47aaca4cf

SHA1
31ee3d53ea1954629b4256a65f122dca0b0b9fab

SHA256
17ded8a5c84ec9742730f61b1b4cd91d708fc1aa13a39645359d7b79ffdc52c4

SHA512
ee49a7ed31223ebec8e330ad531cea5e07f2a3b1513e84d3a40c93ebec1de2c2db5872c2bc6e498799617a9d83915c4591da2ad8c6489f1d63bf56601d117d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589efa.TMP

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b242ad127983383dd0954de2fd0bbd5

SHA1
91aec08c74d3afee291d574dea32460b90f46f45

SHA256
2836a0bea43e037a44c32b5fe7c64972da7911edee3990ca11d03e4605451ac1

SHA512
17ea17304a9459c821bdeb52a141b3922f064132f6dc768151c3c6250e792d55f03429e0a0dbe9cb68c711a50b984610dfa430fbe88d06f298d10a466565e0fb

Download Submit
\??\pipe\LOCAL\crashpad_4048_AZGPVAFGCOVPVGAV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit