b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440

Analysis

max time kernel
145s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-06-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
Size

894KB
MD5

1bd6838e07a93097f9c289910a6983f3
SHA1

cdda980d50c9559141efdb3a7410e1169314b2f9
SHA256

b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440
SHA512

c9aa3801455848ac391a8049dc876a25fca73c649eeb201c6225de2fb5baaea9bcf1e8c20e34b7e151139e7d40ed7b1b5babbe1e8d340e05d1d0e8f377658b42
SSDEEP

12288:WqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4T5:WqDEvCTbMWu7rQYlBQcBiT6rprG8aA5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
984	msedge.exe
984	msedge.exe
4436	msedge.exe
4436	msedge.exe
5084	msedge.exe
5084	msedge.exe
1344	msedge.exe
1344	msedge.exe
5400	msedge.exe
5400	msedge.exe
5788	identity_helper.exe
5788	identity_helper.exe
5756	msedge.exe
5756	msedge.exe
5756	msedge.exe
5756	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4436	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	81
PID 3564 wrote to memory of 4436	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	81
PID 4436 wrote to memory of 424	4436	msedge.exe	84
PID 4436 wrote to memory of 424	4436	msedge.exe	84
PID 3564 wrote to memory of 4896	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	85
PID 3564 wrote to memory of 4896	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	85
PID 4896 wrote to memory of 3008	4896	msedge.exe	86
PID 4896 wrote to memory of 3008	4896	msedge.exe	86
PID 3564 wrote to memory of 1984	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	87
PID 3564 wrote to memory of 1984	3564	b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe	87
PID 1984 wrote to memory of 5004	1984	msedge.exe	88
PID 1984 wrote to memory of 5004	1984	msedge.exe	88
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 4464	4436	msedge.exe	89
PID 4436 wrote to memory of 984	4436	msedge.exe	90
PID 4436 wrote to memory of 984	4436	msedge.exe	90
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91
PID 4436 wrote to memory of 4604	4436	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe
"C:\Users\Admin\AppData\Local\Temp\b578785e319ade86eca6055c6ebf686084b87b08ddbdb8dbbb166e3f755a0440.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff25483cb8,0x7fff25483cc8,0x7fff25483cd8
    3⤵
    PID:424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
    3⤵
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
    3⤵
    PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
    3⤵
    PID:1640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
    3⤵
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
    3⤵
    PID:3780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,13332293847602900607,450625209868335072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2944 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fff25483cb8,0x7fff25483cc8,0x7fff25483cd8
    3⤵
    PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15161160977344598552,10820522336505681074,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,15161160977344598552,10820522336505681074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff25483cb8,0x7fff25483cc8,0x7fff25483cd8
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1784504628430905026,15040951206766535868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1784504628430905026,15040951206766535868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e10636caa03d07f90e429322bbc579c

SHA1
46b6611482d7f5cab0b6091b1956220ffde2db5d

SHA256
a0c01735ec6cd86ceebe9b93eec21700bdc0068fb09c863fd2d9c917d3a6623d

SHA512
9ad6ab154462bccaaf9d1b5f4798fe9b46808dd249d16a0de7ee887cd454f70d1f6eed2d497bd4b5a39d181b769f012d8e15d5bb48cc0cec8c16302c97fbc9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6bf3c79f7ab86de33019955ed6f837db

SHA1
8cbb77b9aa3e8facf99254a12e19f7a3c72c118e

SHA256
7ce34921b3b2298cd2d706d26266085f12d87ff9e33ad66a3788ddc73f981ab4

SHA512
19194e46419f5c8c684d662124f4fd2bc0056594bcba5918aa56157cb79199f038918d44c8b3c13366680f2b63e6b5484a826f7569a63d536ad9e23ea07c8ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
99f191d43839d8e02f4af82b54375280

SHA1
d6c3c6b9119ff6bf924422b9c7e38bb9bc121bac

SHA256
b9de5acb8ccb6c07c378d9e68d3fefe625d40f51133d940abc70269e822b999b

SHA512
fd3e936072c0bff73c9909cf24098a18d288008fa979bcff54822abe9125d05e2e0b71b16319eaa209576e2313a403652004a177f61977e5b3b4030311458380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ba1c880dd3317c6908574930cb32d82

SHA1
9a0e839399d8c789d15d30321a92e5ff57bddffd

SHA256
35dee4950a8fb200ae5b5c36377c5d72f0e3921e0688bf928e48711e9f7a128b

SHA512
390831bbda74c168a3417ca4c519db14aab1fff28c54c1020057edcb72641376da26c29450f69a946b186837ada470fe009f625678b692a8d2279d5f2220729c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84516a521dbb9773c717ba5a23088929

SHA1
98f4810e3afcabecb0a09fbc29c47ab193f17a67

SHA256
c6c41984952d128b271a51b749d413315f3a8c5fa42867878a7831c77d448cde

SHA512
2edfe68e452d63dc87719dd03295d6c99ad7ba374522a75d99ee4bdedaaf6ce3ef735c4536aa3a0a1c32b940e274067635d5a6ad415d9b1a740e2076b7e56276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
31942431ad054bf69e44b42f5bfc4575

SHA1
58ca0243c1ebd65f2d430dc91037b6eca7d21ca1

SHA256
700e213f444399d46e7b464b8eae55d04b7cbecbedb561fbf83ec5a571922b1b

SHA512
1ba621b66d88a09bf066b962e42a0ba7dcefc000065c8322d11445e25b02250ee8923060d4fbcd7c65a5928f3a5e89fdaf5590c496f3052b2158150674da24c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
d5a7c2e361ad2c6ae21997c5acbdb5c9

SHA1
635a3fce42b85e2ac4af14fcfc40ac4fdd9485f0

SHA256
88e478ee79fc71797d2a0c01f2e89926585b1787ef27f25e19e057c1219c260f

SHA512
905259ee46da4475bd2042e8da258faf9d4abcc6ca202a4cd41d68f7d55eb9071d406bc58a95f579e10a7ee191b7b5a9b6fab5cb2530e7f74dfeb89d8e6dac52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
732693bda4f1c5860a07bee14e8f9949

SHA1
a05aaf9da1cb9994e36f384985e63951a558c61a

SHA256
5c253cdc06d8bf680719a1d5e81cae34f04c24d980afce7c58c593df9b2c40f0

SHA512
099c6d24cadeaabf43c8c9ffab93c0211cbdf47812a8cb356c225fa02bc874b643c492530e54890cbeae17abd34cb5e61eb6fcc3ef9c687129f17cde2e46dfec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f9f59d5e7e5d52b506091fbdb1d7d5b1

SHA1
450a675d50ab50096a1c59fd39a6689f00151adf

SHA256
ffb41e1403cb379e0f707668729bb9505accecf299a2713a2f5548d30fc83e6c

SHA512
d562c67bf47e5424ca735990804ba5da57147d3ae75dc74dd794d466d685a401549788f2fcba73e9b093adb740fa39fb0b989e122b6c20a18422439f8c5a36dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
8e5e03db5347162d79c6352408cb05af

SHA1
e8f4a23cc0b38aec6bf400dd35e1d5a0d64b19db

SHA256
395d0c3c868da0fa9ae4b0f31d6020feb9896cf0029995724e86e78b06113d39

SHA512
a8f7082e473290441d677505a81331b51f8d47b7545398b54795cc5d7ccb51cfe0d05fc59ff7dbc0773899598c542ff66ded1d3bd0ccfe2361328bc5e5a39ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a97e.TMP

Filesize
539B

MD5
91e3047eeeac55c94a4357102ce422fc

SHA1
836326c50867c96b608b4d7d6c2acc2dd8ec9974

SHA256
53de63958df75416455abc57ca1f3c0595d614bdefe92df14d7e879d7c306eab

SHA512
124b7e509bb4f287edce038e4937d38aa9fc4deb795d3a6707d4a9ab0e96096d0805cd453e8ff1271eaa104be88bb72513f9759c53e5a04623a706115344b511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
73bba10b97084fa7670b7908fefba758

SHA1
b502adc190bae76f9b31386929eda9fa704186cd

SHA256
6ed87f4d313c2fc7543d0c07d20b885615517d2d9e5fa02d02e23c326b17d5ee

SHA512
9ad4e071273c19594ae6f75a05009ea380f23b9e0dfd76117563dcf2526933402d025bbd8dd53011339388d91153e207ac40f7ab7d9dff6707f463c83679213c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
58598120f9cc7ea8a4d8aeed8d7cce48

SHA1
890972ead5d4a13e67e383f5a0073444528533a2

SHA256
74479b450459fc3246afeb293ccfd6ac62979a03f941012c718d2c6c0d31df12

SHA512
75d74e8df19320694140a73cdfd90f94f024a1ebea241ebd9315399909ec1dbdce1f4018fe4fa1dc90eeaeb1f0f72fefacaada6601d9b475bf2bc0a3edb4048d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0fb0b6a97339a422af5ac4873601774b

SHA1
5f1412f351eba581fbcaf8364b656a47be84ea40

SHA256
e489f8e2d27b133977114e9f9046a45558f61347e04fc5fac2fe80b6771e6f4c

SHA512
dadc39a2d2a478ebeb4ce64d84a903463c855b17893c024f68cbf725ae325724294e6724c323e8e18e23c893f72ae0a936753cfe89bb88a767fcd78bda0952fc

Download Submit