97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe
Size

12.2MB
MD5

c329578bf0dd9d9a04069e640f3d7de9
SHA1

380a1a027252fec490b15a46daa7369f175bc196
SHA256

97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4
SHA512

1d9908c5e27562875e9c63b330600b64421029955117de110f6794bf872e3d9cdf0e9a65e63f82fb88e712d46e76a7cd56176a91c1e02aaa7fb7458872774701
SSDEEP

49152:WFK021v7V3FEPLQ8Z7El6y4Gh0KooN7gqq/svT5VWpx:WF5avx3FruYrh5ooF1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
4872	msedge.exe
4872	msedge.exe
4412	identity_helper.exe
4412	identity_helper.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4472	WMIC.exe
Token: SeSecurityPrivilege	4472	WMIC.exe
Token: SeTakeOwnershipPrivilege	4472	WMIC.exe
Token: SeLoadDriverPrivilege	4472	WMIC.exe
Token: SeSystemProfilePrivilege	4472	WMIC.exe
Token: SeSystemtimePrivilege	4472	WMIC.exe
Token: SeProfSingleProcessPrivilege	4472	WMIC.exe
Token: SeIncBasePriorityPrivilege	4472	WMIC.exe
Token: SeCreatePagefilePrivilege	4472	WMIC.exe
Token: SeBackupPrivilege	4472	WMIC.exe
Token: SeRestorePrivilege	4472	WMIC.exe
Token: SeShutdownPrivilege	4472	WMIC.exe
Token: SeDebugPrivilege	4472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4472	WMIC.exe
Token: SeRemoteShutdownPrivilege	4472	WMIC.exe
Token: SeUndockPrivilege	4472	WMIC.exe
Token: SeManageVolumePrivilege	4472	WMIC.exe
Token: 33	4472	WMIC.exe
Token: 34	4472	WMIC.exe
Token: 35	4472	WMIC.exe
Token: 36	4472	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe
1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe
1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 3656	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	84
PID 1864 wrote to memory of 3656	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	84
PID 1864 wrote to memory of 3656	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	84
PID 3656 wrote to memory of 4016	3656	cmd.exe	86
PID 3656 wrote to memory of 4016	3656	cmd.exe	86
PID 3656 wrote to memory of 4016	3656	cmd.exe	86
PID 1864 wrote to memory of 4548	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	88
PID 1864 wrote to memory of 4548	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	88
PID 1864 wrote to memory of 4548	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	88
PID 4548 wrote to memory of 4472	4548	cmd.exe	90
PID 4548 wrote to memory of 4472	4548	cmd.exe	90
PID 4548 wrote to memory of 4472	4548	cmd.exe	90
PID 1864 wrote to memory of 752	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	91
PID 1864 wrote to memory of 752	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	91
PID 1864 wrote to memory of 752	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	91
PID 1864 wrote to memory of 3452	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	93
PID 1864 wrote to memory of 3452	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	93
PID 1864 wrote to memory of 3452	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	93
PID 1864 wrote to memory of 4872	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	98
PID 1864 wrote to memory of 4872	1864	97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe	98
PID 4872 wrote to memory of 2512	4872	msedge.exe	99
PID 4872 wrote to memory of 2512	4872	msedge.exe	99
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 1644	4872	msedge.exe	100
PID 4872 wrote to memory of 432	4872	msedge.exe	101
PID 4872 wrote to memory of 432	4872	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe
"C:\Users\Admin\AppData\Local\Temp\97a1ce06f402a4f08ab32183743043d5041690baf1547cdf3706dd542af4b1e4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic path win32_baseboard get SerialNumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_baseboard get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic path win32_computersystemproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c vol c:
  2⤵
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c vol c:
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://forms.gle/HW6qZDxcEqbuCsMw7
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd3f4a46f8,0x7ffd3f4a4708,0x7ffd3f4a4718
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
    3⤵
    PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
    3⤵
    PID:1952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16109428830502646345,2747299824802356772,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
6b16db1c2df808c45134b78f87a8b509

SHA1
c30f59fdb6869a112f6ae448e4ac9e74d104288f

SHA256
e4627eb96cbd236b84cd0f36176e3da5c9de206c3e13ad60cb90f9b7efce869c

SHA512
fc9bd82647fa7223e53fbaece1bc3c860a9887b1adb6885dbde377357ac3387110645af37877956cabebf2e1cf19e63e645b9e7c776d1c53c809ef6b9ed8b5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0ac25870804d78f8603ba60625c45f39

SHA1
5c52165edff55e4d2e87223d5020682308421ecf

SHA256
ec229032d4a29671b0288749f4631cb116a8b849c0b38856749bcdb17212ec48

SHA512
b9b8ca9edc08f276b9c17528b9f6a2143cd7a1cb7497f260695af66dd48bf14ea3b0c6bef78cc4f04d69fbd528c50fb16ab4c127e74d090264c6e59999907724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
55294669e0219f98c25c774345b3e287

SHA1
d4d35558cadab6dcb59a8bb938a87ba62dabe0f9

SHA256
665d629bbfb715972b5644cb651a2346f640175dfd75b9b8b52a6b078375f11d

SHA512
cc90abd67d454af00cd6470688b7d8df1f526668fcdc8e559958e32ddfa724f025c5192be1090b3f0e1700dbc197bba6d549b7ae28101196e0dad93389c78dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d37c6a2026f600db97f721cfb248ea48

SHA1
e5610948b561bd2f3924c0bacf976eba0eeeebbc

SHA256
4472d2cf1bc17bb2a754b863baa3422836edb98d88e606ae8b41da73206849ff

SHA512
116bcca4acacf99d3854bb6dac8371e3f150549dd69af298aad55cfc2a55a985d52ee0bcf5719ebce7242befc807a1bb35acdbb7cfb951636614261a2d1cd062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6166a5705352a0d4cc0fb23bda2dbe77

SHA1
67cbcc9fd6ac8d3a5e93cb49758121242010fc97

SHA256
52d7f3bfe9eb4265c56a297de1d9f513e0e665274ababa7b1e8f4b8f0dcf9eb5

SHA512
5ebb509b4d713d24c172cb79dd2540292ffdfd9a89bfe179d59dd75a55204d9bc9b989e2ad7f1354c28304868d6b7f10f5eb09d97996fe2d7d61a8505e5e6902

Download Submit
memory/1864-25-0x0000000004120000-0x0000000004320000-memory.dmp

Filesize
2.0MB

Download