ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
Size

894KB
MD5

458ef4769c373bd566a65f797239c329
SHA1

d2cdcdb497bad52b2c777c539713e47b8d67823d
SHA256

ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc
SHA512

1f62e9b037c08b34041435737de58b792a3dd3d223f39757e68a7c2fb22ef7a47d2d22af523ac21caeab4db08aa715d04c9f6689154b4c953c7eb8f3adaa90f1
SSDEEP

12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4T9:MqDEvCTbMWu7rQYlBQcBiT6rprG8aA9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
896	msedge.exe
896	msedge.exe
4796	msedge.exe
4796	msedge.exe
2312	msedge.exe
2312	msedge.exe
3548	msedge.exe
3548	msedge.exe
4876	identity_helper.exe
4876	identity_helper.exe
1448	msedge.exe
1448	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1016	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	77
PID 2432 wrote to memory of 1016	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	77
PID 1016 wrote to memory of 700	1016	msedge.exe	80
PID 1016 wrote to memory of 700	1016	msedge.exe	80
PID 2432 wrote to memory of 2312	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	81
PID 2432 wrote to memory of 2312	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	81
PID 2312 wrote to memory of 4524	2312	msedge.exe	82
PID 2312 wrote to memory of 4524	2312	msedge.exe	82
PID 2432 wrote to memory of 4744	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	83
PID 2432 wrote to memory of 4744	2432	ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe	83
PID 4744 wrote to memory of 3280	4744	msedge.exe	84
PID 4744 wrote to memory of 3280	4744	msedge.exe	84
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 4956	1016	msedge.exe	85
PID 1016 wrote to memory of 896	1016	msedge.exe	87
PID 1016 wrote to memory of 896	1016	msedge.exe	87
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86
PID 2312 wrote to memory of 2856	2312	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe
"C:\Users\Admin\AppData\Local\Temp\ac7f6ec6ecdf697741e0f6fa28f2bf6600fbe41934f2be5e33e3dd6686375bdc.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6753cb8,0x7ffaf6753cc8,0x7ffaf6753cd8
    3⤵
    PID:700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,7762928863654410880,16489327169578093950,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
    3⤵
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,7762928863654410880,16489327169578093950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffaf6753cb8,0x7ffaf6753cc8,0x7ffaf6753cd8
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    PID:2856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
    3⤵
    PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4867839449513545046,15993626992239316662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5384 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6753cb8,0x7ffaf6753cc8,0x7ffaf6753cd8
    3⤵
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,10434544928239470364,1677172778219961031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,10434544928239470364,1677172778219961031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\124b0fd7-c8e0-4b3d-b59d-2e639e32ccff.tmp

Filesize
8KB

MD5
fea3097d57ab7e4e76863d60726d728a

SHA1
f8699ed2bef5ba9408097250eca30ae453c6d358

SHA256
ec6a1a40782edb157546ea72b9ee3bf1ebeb8bf0201c5145a94e434112119d49

SHA512
874c2db6f99a6e1daab22b87c2113526e4cf6186ec112298f9020b3cec0570350d9c941ae42c48058a7b72594f0cb06c352c77be0016c6a2d588cc5fe48e7e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f567afc437636733da4ff47e08123886

SHA1
5180986e4759ad9d487d27eaf333ae7d12531dc6

SHA256
9f039ad6ff6987f179dea0e85874293f95a5eeced674601b875643b7062649e1

SHA512
ae78e6297f5f8058e6b5586cfdd24125b5504d1bde3a208224185c80e2963779e0c8891aae0985a5c31f329544ca26283e941c375db8cb8b791d104dec66b7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53c4ffa32bab6c461acc3c0820518f35

SHA1
3a77500b91215b44227bada69d234e27b277f642

SHA256
ba14a81ffb41c431ac8b33f2da2f3ad1e58911cda09ea0cf65d4eace54b16351

SHA512
a9232cd4aa754ead345fcb0f6ae4afabafb505a450602235a0f48256326002db7d2112d4bdff3e0733242e954568a309f4fd7062514b0878a9e43b96473a7a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
572537328ad85217a6623d39142b08bf

SHA1
7338592d5904a995fb947ba9b0e039c96ed18ee5

SHA256
b601474b9f333eca09f4d86dff0935a477116c89b93e6afd9128983bcd03637e

SHA512
c9a1baef408903b5b94c5ed4572575cb88b39176df2a841ace5cf9363e8b963fbb7ee9656a5204979f08ba3fdd28173d99b6dd8c2d108f9db64102e0de032ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
4309c8d620eaf5433d08e969a82128f7

SHA1
451a9e03563fb76176a078f5ae1099b777e7b98d

SHA256
7338437187911df798e85673b3c7cdb78cef68724827311e94640d16ba325d7e

SHA512
31518d357cfd51c7e8a3723441065efe63c75050ec805c96af215a2fe46a12c089f9fffb2872d054d0f3fac64f9588c2b45bac5624500f8f5371a3f4086af34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
be506bd4129b62c34e2b8b30b68484de

SHA1
e192da824c6b84551457f10c6a1d4274c72a9a35

SHA256
5efcf028830b0823b9aa9d76ab71a364003e0c9c12fd716d67889ff6960ad8fe

SHA512
335649726541695bbf05578af456193c2c098f1f32f3484a16575c78c21d571b837e3af4a6a3852e2c012984dbbbc6d105e3accf469ab3e4b4488a77ee05cf9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
57bdad6827b6c474b34ab4bbe3890abd

SHA1
401d3b2509ab43f779ba7910302856e092d0b634

SHA256
ed7a9e4356cd8af8b33b3f30aa9095e0577cffebc21f7dd28508d313a2370d62

SHA512
acc40fedb2971181d9462a05aff7ec6c89d6a0775d4bfc13d0ae00d4108124aebc7dca7e028fafabd5506aa16cff1a7cdcee613038f9bf95c8c8a3d020276579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
1f15766c5b0b7249630e5f0747251529

SHA1
4c09f82b3dbc7729adc9cb5d1b7d5e68e8b4dd15

SHA256
13916c30785d78506a86334f64236bff3f799501f87dee94aa76f4e973bcd155

SHA512
d95f93b74cfc1a378c87ea76fc4c4f3a054f19ca573f7bbaa462dee83453d3f5618eba989cf76a1ca6a3c1765614459f53a8fe7d0d8ae7579a21d6dd5297bc07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
494b42f2e3c9b9f661612667b9747134

SHA1
5631766ba79bb4971de077e81948e25a706f27a0

SHA256
36258428a757e8dd19bd0e9cde69506ae4c3554fd80f837b457fa71a0ad0ea64

SHA512
f561e2055b5d08455298f50c598d2275a9e3189833141b162b92caac63148750add3a4ca9f33237137d44dbb177d677ca6d17fbdc539dfc134bbad8a382fdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e426.TMP

Filesize
539B

MD5
6b6255923872fd64757f2432e59bec71

SHA1
1181f994a06b1a65fb8981876e5d07b864297c13

SHA256
e79fd27a465a126405a90fe9c232412132d3ba957f55b518ab479935bc4a02a9

SHA512
2f181dfdea129658120f7b9e2d6e5ebf159522a4327c0b472d71c872d88bc5d0a2d25efb279d364cba952351c97f8a1186acd0f4be727932021db25e541c1022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a71a4730-cc5d-471d-9c1e-3d6a02241765.tmp

Filesize
2KB

MD5
3b777fb1c612f29219ba285156866b22

SHA1
4b87f02a05870bfdf493fa2c4a28496d7e8312a7

SHA256
fccf0a12e02a248ace3ec205d409f7e989fa548a81948100e1a9fafe396262fa

SHA512
dd9249baa64c9afb667c72a18246e677f5c85f8b588a434a7a9917c8c647129337f8463b46bada54f4de4c97d04c17f724bb2a62398dd634b5b72961e28a75b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c2de0fb1-d63b-4c1f-aefa-aa582a0faea2.tmp

Filesize
1KB

MD5
7fd6309960262752f6394bc7a190a88c

SHA1
b0cec89d67cea601fef886d8dcb643b77d5de438

SHA256
06d9a52c0a41d51cbad1c0264cc6b0f7b77b488c691c40d50596e6b96afb12ba

SHA512
e5be4e248ed5671f77759e8777aa9d5ea24f915d49abb02a1f6b9462e4631b9261ccf902821c350e187a96dc5d01f88676e46c94cc51136e5f48aa1cfa09d9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a461bf532a666820dd7735ba9953d0c4

SHA1
f7a872bf59533cef54f93d766c092c2e4fed8b27

SHA256
4e287bea69dbe7576634cd3f14d363d1c29b35b95fb7351856fed902bdedcc3d

SHA512
f9d7b3da17f22aa21a0f15d319b6be4b8e9915e1c4a303242dce81496e3f363bcf532502ff51f1a915e83fbf0b999cd492020ac4f36b9d2485393cf53959c833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca6a94d78991ab5140b662accaaf8959

SHA1
e67c751f643b24fdaac48333318698e04936761a

SHA256
ebce21695f6edb9c7887dfe6294f6b83198bf3b7d92dc25a2bd65b4662691dbf

SHA512
c438991aff71482008c38d93ffd4f2b27616643489d9ebfeb186370e60c0cde48a421511d66a034e995c366387155ddb2842b1ed584d194bcaaa978f1dc3061e

Download Submit