69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5

Analysis

max time kernel
146s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
Size

894KB
MD5

4235e5a0849f2d00b29150a07fa8590d
SHA1

461b2ed807695fec4d5d842fc8963ef7a9887c4d
SHA256

69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5
SHA512

026b71889981b68ca0a5909a7816d92e52b08ad52f57a3842510b1156f309b1558159b6a0d075804d18f19ce2ad18db77d00df16b7141c2b6184e5e6b5933b99
SSDEEP

12288:ZqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tx:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aAx

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
852	msedge.exe
852	msedge.exe
4764	msedge.exe
4764	msedge.exe
2924	msedge.exe
2924	msedge.exe
1404	identity_helper.exe
1404	identity_helper.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4764	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	83
PID 4204 wrote to memory of 4764	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	83
PID 4764 wrote to memory of 4136	4764	msedge.exe	85
PID 4764 wrote to memory of 4136	4764	msedge.exe	85
PID 4204 wrote to memory of 4124	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	86
PID 4204 wrote to memory of 4124	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	86
PID 4124 wrote to memory of 4792	4124	msedge.exe	87
PID 4124 wrote to memory of 4792	4124	msedge.exe	87
PID 4204 wrote to memory of 5112	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	88
PID 4204 wrote to memory of 5112	4204	69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe	88
PID 5112 wrote to memory of 3316	5112	msedge.exe	89
PID 5112 wrote to memory of 3316	5112	msedge.exe	89
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 736	4764	msedge.exe	90
PID 4764 wrote to memory of 3568	4764	msedge.exe	91
PID 4764 wrote to memory of 3568	4764	msedge.exe	91
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92
PID 4764 wrote to memory of 60	4764	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe
"C:\Users\Admin\AppData\Local\Temp\69aec9e5fe9a49eba80f98a93ee4258a34b1189bc3973d8851802ddad8d41da5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f6ea46f8,0x7ff9f6ea4708,0x7ff9f6ea4718
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
    3⤵
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
    3⤵
    PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    PID:416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17263991870694324550,4344398845132586830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3996 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f6ea46f8,0x7ff9f6ea4708,0x7ff9f6ea4718
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8724641525102148728,2650363309139410014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8724641525102148728,2650363309139410014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f6ea46f8,0x7ff9f6ea4708,0x7ff9f6ea4718
    3⤵
    PID:3316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,566757778000997461,17995830023508575744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
97e7652ad84dff1636d401e553f606c3

SHA1
c89ad6eeb949cb488da972d9bb7b34c4849a5355

SHA256
155ff2da01ad0aaca3f4bf375e64539be1233ff2e085af12c8a0e3d84dc5fdcc

SHA512
fead91d5fd17ee979ef81d6ed7c82bc24ae920a200cb12f4dc9f29e8fe344f05ea2ccd13208615a856a0e2770b476048148f2e04a7aceec300adab6e763c1d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d34f4dccbb6f5515f5cc180266aa5f00

SHA1
026df4e7ba9458df8d969072671ada33e384e854

SHA256
ddc43bbf1a5b9fbc10640a8f2b66e332e80435af7da7119594a213ef82da9d4a

SHA512
3974d59df759473720f568c8fda89b961c4fc1e69b272ad0a273b255e22bad3f2064ae77c0d74dfd107dde99f50abea8bbf21ce9a7d2d0e4cda69d4a978e0e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d346e2e2dd312b72ba40db9f90f4fb2a

SHA1
533205d5742d11a197af4672a7b89e99945644d8

SHA256
0257f1e45ae464558cc16158ff8bae24f25b9a019ba1e8c38c2c77b0ef2bd7c8

SHA512
0fe338c14fd0ead68808d9fd584d385a6e2e8cf8fda5e598a80bddda3c2ab7267ca26b2888bfce9866d9ee439935aa38ec4b475aa294249a6847fc480f408742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45bf01461c1bec843358b98f5aa04d1c

SHA1
680e411f26df530b5d201992f5fb85e879395c97

SHA256
bbc037f71dd237d460efcd47066966f841d7fd453ddfc6978b50d8726a04a213

SHA512
5efafd5a04f0a671cc4bfaba2db558601219bb7376ea7bed7e698cb2c8793deaa7f935c680dfe3bd9d4bf697d3fd4921f784a35312c38c073d03fd84f7d4be8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1eb9cad76decbdf815fd9fdea7c5b488

SHA1
2b31e12a8bd48c16c2a7d7250bb04db276585828

SHA256
1496b9f2633e49bf9e24f59603a81753816317d86488b3164feb7f5cabfb69bb

SHA512
a7423aa4e9277e1735dde1e4b8843a36671adeecafe5dbcafd95a92dbbd0f325846b6fd9facd4cf977b76c3ec7c79d8a4e35acb6ffd517febdbddf44c29af5a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
52c4b7a55a0a59bf44f1a40bd9787f42

SHA1
a69808852bd65d9832932c3e6e855e5132a2b7d2

SHA256
7d6890d4dc383432590cde4804d1c0deaf3357efc8cc5403166ce3564e036675

SHA512
43f28054aeeef15d3c2a799e84f89e342a1ff95438ae64ce0ece292688cbbaebe31de8d0d7c3e345e6b649274927de6af4ab0f2503aa49bfc2b6d1a579a2944a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
9f8fd1a56037704546cbbf7f8b155cce

SHA1
2aef714531d781067eefc6127979f69585b0cb2e

SHA256
e6c34b2eb43cfac5c9ea3f8e19e50c3389d2da05967325830f31c6465045360e

SHA512
73fd3dd02be93e379d2033d6a215e0139139f3c90644a3092b11cc61c95c4e98a3e94c92711105b104d041ae77fb5085eb78059daaa3e0aaa31a5bfb38bc23c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f37e4bbee5046de421d47d4a96af76bb

SHA1
63219479fdc3fbedfecdb0af40d3170022621202

SHA256
62038dfdafa1510a92cb0c234f67670cb1f89789725491bd71487aa54f6393d8

SHA512
22277956638554290c5eeab88af8eac7046f25dc525aae798874098679a2abe317c234972db14c8d11b624e07de523e0bd9b5323594a301d1e943a1ce240a0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
1de4d99984d244f7fc13c2dc25449961

SHA1
5f6b585aa638e38e464d920408f3482d6deeddc2

SHA256
3e03317e39f9d44aa0b56f07db5e110267411490abaa718af27928f8ccd6f1de

SHA512
acc346801337e388c970c46fb3fc73f00b87bbac305ac2127fa7784b80d9a58962ec539883cb81be0240d2b1d7d7edebf99b1e40116d3142bfd184e6f1680fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad66.TMP

Filesize
539B

MD5
892a6391fb9fd4b3ace56d9c405ef66e

SHA1
83b4145c22b96aa67723e8b1fa65f360ad637dc9

SHA256
12196e892f5ff7af4d43857aae05dc00e0836b19566f9c2e43d2d46c18693ba1

SHA512
eab88044fb6a2ca92842a176e99817a000830dede347ceccdbc351ba13f547fe9c7ebe6eded4b5547db07ff6748b2a250ddd727491269535f73d3a814ef21b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5de7b4923a4176fe38481b07dfb81be

SHA1
a72f71f3ec72c841ab1cd684279da7ea48112d3a

SHA256
adbfbd88b532576a3539824986a91f03a4b64a57d3c11651e01d3653aa082f92

SHA512
3010b0e1b076033ed3ccbd630c9f54b43615ca68033d4bedc57ca66e76fbaa9ab8edbdc87f9fd5f894e02d5a03d61b2c916d2d15c7fbaeed2e0c0bf054c94182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
58bfe4a1785a34841e12e96666bf8971

SHA1
482e094eab80f8c0e3f2af6f8db2b2b586644991

SHA256
24df98757fa2a8575978f6e1c2bd9780b6ddd6b4338512593cc0eeab44cd04f5

SHA512
61dd791be0285b359320f46ef6e20507d193139dfc678fbdccc1518a86312b737bae90556e078fbbde78507e6a419898ee1002acc0a486dc7c79199594a2f4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f4461ede1e30db82e88fcb0448d8af1d

SHA1
86d3012e4aea8cd1de744475ce5e1c3132137a3f

SHA256
b28d5d28ce472f90115d4d96e716fa8ac800d8706f3b9b5a73239eff5ec261f8

SHA512
ecb49b547def7823f05b43c0762d270ae08150a7cc0db570015ca21437a4c455a8e25767f4411b4d14b84416aece5cc65b4241476eaa70ba91c6fd139fbf713e

Download Submit