d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
Size

894KB
MD5

eb7452ecbb368db5aaee83dafb439ef1
SHA1

8d2d761b3bda63b2ac63c79d0395bfa337b30e16
SHA256

d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c
SHA512

2c2853ba7c7c1d40bce86239023d19681c64616fb0383d6242c47dcefaf7ff9e62c5c85474967dcfc9c77c65702c543bcc6637129e04af62bf6ca02d4659af88
SSDEEP

12288:WqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4TT:WqDEvCTbMWu7rQYlBQcBiT6rprG8aAT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
4668	msedge.exe
4668	msedge.exe
1476	msedge.exe
1476	msedge.exe
4896	msedge.exe
4896	msedge.exe
2568	identity_helper.exe
2568	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4692	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	83
PID 4528 wrote to memory of 4692	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	83
PID 4528 wrote to memory of 1476	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	85
PID 4528 wrote to memory of 1476	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	85
PID 4692 wrote to memory of 4636	4692	msedge.exe	86
PID 4692 wrote to memory of 4636	4692	msedge.exe	86
PID 1476 wrote to memory of 2572	1476	msedge.exe	87
PID 1476 wrote to memory of 2572	1476	msedge.exe	87
PID 4528 wrote to memory of 1448	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	88
PID 4528 wrote to memory of 1448	4528	d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe	88
PID 1448 wrote to memory of 2920	1448	msedge.exe	89
PID 1448 wrote to memory of 2920	1448	msedge.exe	89
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 4932	1476	msedge.exe	90
PID 1476 wrote to memory of 1392	1476	msedge.exe	91
PID 1476 wrote to memory of 1392	1476	msedge.exe	91
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92
PID 4692 wrote to memory of 4220	4692	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe
"C:\Users\Admin\AppData\Local\Temp\d4264fb0d4352856beaf132796e7ac8f2618fd9ac5856990ac9c73709273be4c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffb244646f8,0x7ffb24464708,0x7ffb24464718
    3⤵
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,3982653614668859703,2311514517461769665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
    3⤵
    PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,3982653614668859703,2311514517461769665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb244646f8,0x7ffb24464708,0x7ffb24464718
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:1240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:4172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
    3⤵
    PID:2856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9554213152259095285,3017290973246917369,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb244646f8,0x7ffb24464708,0x7ffb24464718
    3⤵
    PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12360316275846403757,6154747668660568893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
af5d4eb86fab1c7e712cf9495c22f98b

SHA1
ce4d015b3ddf9549c2c6eb3926140229206cdcab

SHA256
5bb7a948709b8b91ca9706a7dcccdb5046b5a753b17894e363ed6f4354f21a3c

SHA512
0405da0162ed2a7ca815d37f444c7b3c1c1c7c231ab8943fe967c92024a56b7bc1f7fc05d14f99dff227c2cbfff33ed5f58ac569a8f09a70671905858a9cb855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9142558184295fd88f823c58542636f3

SHA1
b02cf8bdaa3539fc7c061a8c795575d726653909

SHA256
228285f7c9a7a2c7929fd840e71094cdb7d3ec1bc2eeb717bf9ae1d864020ec6

SHA512
6d0b7a7d4c9e9d49026c9700b825250ceba3d2afe962786e0240a05e69ce08c4ae0e610144cbce865f1f0d187e95d3470e700ddec1178fd60b1319355f27fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a29805a0d7a407d1990788ce87594497

SHA1
cae2140d6096b70efaab5de4a70d803097934f32

SHA256
db6219b5be26453cc6c93775f4b094efa704cb6c1261c1d6a22e776839d828b8

SHA512
69e69ae63406edc785d416c535684571c353c2b350b15e70f7e51feb4b6abb10a4135d9d1f7aa6430e2614af20bee53443365b7812a01ce3ed9f6c70b488813b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1014d4488aacb5976e0cbbe9e96469cf

SHA1
a3e65e6654d9fcc9305cb1c782456a0158378620

SHA256
20c714d5d107a7449f03c30150945248b78ce52a3a004aa0da677aae1382cc37

SHA512
7179e87e146834f49a5189aa46cbe2ab87738970b2046eaf2b2c742722f98fb3a48c9ff1df31af0aed611f3d130a7cf34419fcae21d8a31210a3e5f7f8ce9849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
711f566554d23c9c8aa30134a637bb77

SHA1
4c484b0fdc81cadb1018d361d8fb2a49da12e856

SHA256
fe38d7e6c22713ec48ada42add96e8ffe09c1aad3d4bad89e94460890c4a00ba

SHA512
36c398d7ff7c7158f74e34aed04b4d27c7812bab7498adcc699b6b22eef26f7fef0c514b934609bc978f6607f0bf5dac780cd0b4791e255945187eec12ae3cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
28dd7bcf791846579f98952e198886fc

SHA1
482832678e6de43300c08e8763868dcb10800a1f

SHA256
bfeb43750cd95892b42c19ce78ccef7e53cb8cabd5d31cd06b210170cb7da32c

SHA512
0f328061acd4504796b68f8a1676383b7a1575b72fca18a205c08355a929b707b8d936209fbeafffc0a1daea12a05a28eb969f595b945a6026f23bead0db31f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
75beee2673fc2de9118ed8e9963e4cf3

SHA1
f58e55bea6dc900e06d5eeca7fbb5159dac49f0d

SHA256
9cdb7cbf19d67d45b6a877f6a9968202f39626b1babea366c05d98c9e06d37c4

SHA512
e44cf4e7046950882462aa3e440cfc1d73fe8a58902fb7ba0ee6bba88fcd6df9e0008e5dd9c9e65221fc7b03221c3fa4c04a2a87a5b316d73afabe38f7e4f4c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
535B

MD5
a8ec9bb2384d21f44c7349963128872b

SHA1
ffc6ff7c4f309663cc833ad6bc7855e003a2c7f3

SHA256
5fa43d1a646b17c09505e4672c9002fde38a8230ee1cb11b07e2556786c39424

SHA512
dafb71198834e988a35bebfe71e37f08e40570b93f5a0014e7826c73702a600b78b92597f20a5c1178690e9344e1c9589e350fb081dcfcf5640f9e37e4508286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
e8801a995e10b9d1241dbefcaf7c3e13

SHA1
bdb9b3407e4bb817bab70a98cef56c724218b015

SHA256
b69a6bcf5142290f842c292d76e90afc2621fc94ffc08c2889c897a9ef6586dd

SHA512
1efa89b7aeb3d3a59278a82b3a591d520bdb3d62b1d53aab0b1f6c496da047e3d1e2073cca4ed6f6b1b86cc01d6dfa859c53c3d3f7035a83f056a2674dd906aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a99e.TMP

Filesize
539B

MD5
6c92c7c95273e53796e23e3142996e6f

SHA1
1592720d8431e0068ecf5b30ad5ac8cd0c22487f

SHA256
2196ed929919c8582982347f05b94977ef9ff74febd0665f5be0587fd85b5c01

SHA512
20d7aa9d83366e03f1217f2e9fa9e3fe61a82dabfee0fe8b3cbe9db434f6d302ae29dd906253d5a36383010f774c2128845bb6558720a3a765cd651f3a1a4f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ee490df7e1d5f524c8e3d8983ff8c0b1

SHA1
76bcae25a8bbc83a70cea05d806c56f38ae0f49c

SHA256
65d3136518a3d4d0daaa75d237e20da811c0d7b582844b49df9101ee58a97cb5

SHA512
5de53886d128e73f09f113f47bf617a4a7e365dffa27a02a440f39d21b10574f782f3a9da6aca053abba14157092cf9aeebd1f3fbd4352b23d8dec1827565ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b93d7fd8cea4697e8501d7b867ff464b

SHA1
83e3569b3e09f319c7165d939902f7c99a9b32ab

SHA256
3f0b79b88e87ca9a5efebd9b845566807aab2a8d4800c6ce7388cdc7f91b4475

SHA512
bfa67fb3e4542374af400ee1fa913aaca506e0e1c03a4245e9357f74ec373aa30f9c2cb3451943360a1f619ffa4f03f98eff783c3098a81aa459d5ae5aa49184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\aa51e88e-c6fe-4e0a-9527-3d2a04d3172a.tmp

Filesize
8KB

MD5
29ae6deb562e42d3fe83f65e002a42a3

SHA1
70c4c0a832247f7863a20bdd488c96b277c6275c

SHA256
10d6ca661a2cd02201d559f1e0da6f1c8ccf3eb94053d72a8e42eeac4bff4087

SHA512
ab43563abe32d506d0bc82d66edd6502da908ad4726c5caad244f950af3af80ec072d6d76cb017cacf7bf32c60ee3c2621221ad3786030fd8c3c38bcd549e806

Download Submit