c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
Size

1.8MB
MD5

da94e3e12237250c17aed59f7b6e9e2a
SHA1

13a1aac6ba264a53659b23e3f8824168f043b923
SHA256

c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a
SHA512

73560a004fd9fc8014288f5a3d3dfefb2c8f584fe2187c695efdbaa8b314dfd6526fdfa0a7c4da3fae3d18a6dc752fc5070d4ef0afb0047fbc184a75808c9d7c
SSDEEP

24576:F3vLR2VhZBJ905EmMyPnQxhe4OLwvHYgUBoHyC/hR:F3dUZTHCLAl

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\J:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\U:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\Y:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\E:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\L:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\M:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\O:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\Q:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\S:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\W:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\Z:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\B:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\K:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\N:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\P:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\R:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\V:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\A:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\H:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\I:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\T:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
File opened (read-only)	\??\X:	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
4060	msedge.exe
4060	msedge.exe
5344	identity_helper.exe
5344	identity_helper.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
Token: SeDebugPrivilege	2992	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
Token: SeDebugPrivilege	3828	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
Token: SeDebugPrivilege	3828	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3828	2992	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe	81
PID 2992 wrote to memory of 3828	2992	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe	81
PID 2992 wrote to memory of 3828	2992	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe	81
PID 3828 wrote to memory of 4060	3828	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe	90
PID 3828 wrote to memory of 4060	3828	c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe	90
PID 4060 wrote to memory of 5948	4060	msedge.exe	91
PID 4060 wrote to memory of 5948	4060	msedge.exe	91
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 3436	4060	msedge.exe	92
PID 4060 wrote to memory of 2376	4060	msedge.exe	93
PID 4060 wrote to memory of 2376	4060	msedge.exe	93
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94
PID 4060 wrote to memory of 5692	4060	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
"C:\Users\Admin\AppData\Local\Temp\c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe
  "C:\Users\Admin\AppData\Local\Temp\c27f426146b8e4db99c94e172b978a57d873c05954ed91b83a6e1af4e050702a.exe" Admin
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1eb046f8,0x7ffa1eb04708,0x7ffa1eb04718
      4⤵
      PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:3436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:5692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
      4⤵
      PID:684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
      4⤵
      PID:2424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
      4⤵
      PID:3476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
      4⤵
      PID:452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5070894842384793490,11131752919819524445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec4b69facc7e71204ef39b547eddb8f6

SHA1
f30e55c9fb65da1c3701e9a6ea3207721e09e557

SHA256
052c24029d37aafb59b7a876a420ecba280037ac3ed2ba79ab3982c5d0e95741

SHA512
1bbdfe39a4391ff3150acd540e5e81a6efaa9af122cfc55b27b9bc853ec272e71a71ef6fe1471e233d4ff33aead20a7d90f1adeea2a230b5b10ef457c99167bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f88ba7468a092d9952b53a0db1fad18

SHA1
bf95235e643088a3f45dbb1926ab8edfbebe9907

SHA256
a68c6884c9bdee9c71ab1dcd4e375f332f3bddcdc602c68c88f6804b439bdcfd

SHA512
8722c21378b3e719a610a72e528fb35547e035c5cc7704218fd02789bd7c7254e22a02e350b6a6acd7033c14ccbba6bbe5edabd37d0f17a6eb9c84e7f3eff57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
584e50af8ac94cb0e0c76446a07ad68d

SHA1
07b93c57076df13d436f38308ae631410a826185

SHA256
ba2a1ff251740bd2b09c116da2499f20c0779a83e90a100c8ebb03f5843c0e0f

SHA512
c9fa0ef34a99fb22efaf365334d7e87b5e5c08be6875a839b5ba79d3edda16cf31367b5f53b1ecb13394c8184dbe2c15d0536e4c74feec67beeaba925e745f48

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
memory/2992-0-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3828-6-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3828-5-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3828-2-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download