1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
20/06/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
Size

894KB
MD5

c326c0fefe66f5bce1231cd8f4974ca5
SHA1

679ef3d1f92f4dbfd84670dc94e05eb7593854fa
SHA256

1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf
SHA512

14ee37b264d25340d6c3468cf60dff1b6a8c45676d9753ff0f107033bcf27ddb958c57476db0f8021b758708baad8e2d54a21ccfc9f19f132a59f739dd5d6fea
SSDEEP

12288:QqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tr:QqDEvCTbMWu7rQYlBQcBiT6rprG8aAr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
1344	msedge.exe
1344	msedge.exe
580	msedge.exe
580	msedge.exe
4432	msedge.exe
4432	msedge.exe
3036	identity_helper.exe
3036	identity_helper.exe
1116	msedge.exe
1116	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe
580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 1204	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	79
PID 3112 wrote to memory of 1204	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	79
PID 1204 wrote to memory of 2748	1204	msedge.exe	82
PID 1204 wrote to memory of 2748	1204	msedge.exe	82
PID 3112 wrote to memory of 580	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	83
PID 3112 wrote to memory of 580	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	83
PID 580 wrote to memory of 4388	580	msedge.exe	84
PID 580 wrote to memory of 4388	580	msedge.exe	84
PID 3112 wrote to memory of 1736	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	85
PID 3112 wrote to memory of 1736	3112	1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe	85
PID 1736 wrote to memory of 4556	1736	msedge.exe	86
PID 1736 wrote to memory of 4556	1736	msedge.exe	86
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 3472	580	msedge.exe	87
PID 580 wrote to memory of 2600	580	msedge.exe	88
PID 580 wrote to memory of 2600	580	msedge.exe	88
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89
PID 580 wrote to memory of 4028	580	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe
"C:\Users\Admin\AppData\Local\Temp\1af6fc7cdf94ec395611848ac397225bf258eeeb019dc713d3a67fcdcbe29ccf.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc1c0d3cb8,0x7ffc1c0d3cc8,0x7ffc1c0d3cd8
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8581161409830082374,15658117577915699252,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,8581161409830082374,15658117577915699252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffc1c0d3cb8,0x7ffc1c0d3cc8,0x7ffc1c0d3cd8
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:2656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,5688657608485901752,10960494870624756705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc1c0d3cb8,0x7ffc1c0d3cc8,0x7ffc1c0d3cd8
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,5882594999328293507,2430840217481953807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
888dbcae63f55a5a9382a00a647cb0ad

SHA1
3f33b5ed3ad0e92648956e0c7ebf8b324b7e8104

SHA256
f705e222959745a11143f65a65383fa29386eb3f602e6ed7fca892a6e466eb65

SHA512
02cb11e36406f5e9ed407b6be6e24678465b927c42119594e0004ca505c05a729d2db913bd9d76134d55502bd3213bc8fa18f2d3772430330c8822b7eaf2447f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
59cb94e6801e333cbc6e832a735196a4

SHA1
fa6869af2b3e10f866fb442a47bbbad884ef83f7

SHA256
0845647cbff2c1a5a66680e3f5a0a56d649f34e3ed733eb5fb401ba05156377d

SHA512
0c55b905215d9067fbd810255aa09d63b7642a8ac84ee07700c76b146ed91e6ca55046f98ebf1c56b0e4fcaf1b8927238832878025a33282cba94eca4ebd3020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c9f9fe0190185a612993fca044a37911

SHA1
e3f5a4233e9f0303c99c011d17871963830598ca

SHA256
e7835b30cef93d2090464a8de952cc76eb4e0f498c77964a2eef842bb567dd02

SHA512
b89e57efbb854f92f1f4908514f1925f27aceba1c9e318d4811b2d79c9ddfe317f0c222c8ef7593a98cd3d31ad6184246153c222fbdc9b35937d8a5985991eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21052e0175562e6a12929d87f1e78067

SHA1
4aca34f8c0d985d708358743c54a60074c661eea

SHA256
07fcf4857ae5afe17f32d9ac0650f8cb003ba9934d952cbb60d044ad5b4b6125

SHA512
74f801b4da8c1f9bd82feff7b36f36741574708e53b17dd13ed8b02edc0b37d5c06731349a8efaa4077ff750a82ef882ad8973441f3da9d2891a9c1a54e8cbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51857d508efdc4c179b13184052d8a76

SHA1
84032b55a1f667d819e8ce571be52069058bcd58

SHA256
f05bc1a95bdc2c4f488db07af74c1752e1494bcaf2c70328bdf0350f198cd6c6

SHA512
1a4ee689232ec131ab540ef60aa122ba0988ad097771eae2dfa22242b61c11fd578a63516d0ca89bdf4da01110d73a828922414dd1548fbbc03a43aae97e274f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
4105ef3c4ef564246d926c2a667d152d

SHA1
169eb53f69b9180a0fc5e58b04d792f705d6014d

SHA256
8b54f905d91c38e4a9f76d3ec8ae6855c20dcdba7defdc2a7a630664dd15c71d

SHA512
8997ecce5d2fee46e6b666c851c1a3da3a1eee0d9602e0752cbe5b96882da14daf6eb47fc5222e673f270c79f5c0efe1ea270f3b2b102079150929e2d6caf36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
35f5d48a1f57dc39fc28fcf4255a62fb

SHA1
57b0a1838aae82399cc6e5fb9f8e1500374d3caa

SHA256
fb28e9a155366d58ce24fd7cb1375f4f614689d721eb9f4cb240e5e7226770aa

SHA512
5760abcabf57485f921789baa09afa3067621cf6977c77c35a2c2bdf3618c7c2eb543deb71f9b6178302b833e1b58ddff40e67e04a5240e58a92b45dcba6729d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f31c98bc34d51cc8ba97efd2f92774c3

SHA1
6b0532ec6a07cebf703b192effbfc679dc935f6f

SHA256
928a5c7fe738b2bee3c7d1b89902b2e9c2610ba90f328e0ef63ce3695e771ecd

SHA512
f6cdc6e4e7b00c3ee31df2b017dff4aa20733dcfff0543f304264644e516d0160ca21d43121b15771afe97c8f1248b85587ae0eb77061a38f701aa9f5e7c0138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a5b6.TMP

Filesize
539B

MD5
ec945a7bb0f70256b67a3efa44cbd671

SHA1
35ee25367417b4c33ddb31097e83cafb11dfb77e

SHA256
09d03c687970e3a653e5b6311ee255d12c0e99c9dc6cdc2a0f189bfa1ab1386c

SHA512
81e0ae0b048ac2733beab742f29a5afd17a59436ebac1161a10a1480fdb0afa362598efdb3701dcd1973875e42b2e127fd55614c19452700a9729fd7fef73cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d32c76b3-767b-40e5-8b73-9297ddd49d76.tmp

Filesize
539B

MD5
858f91e64b12d9c6a733d8f60cac4570

SHA1
058e65d6ead3f021f763f62f47de2e0ae1164eb0

SHA256
246918e47559412ba20cc02aaa0df499299af73e7f6d96b4b6d68c63f3ed0053

SHA512
41631e3d7f76586a5611fbd30ef0b24197e844b9482c9f9a7188d1f82f7ba7ce3d4a11ce14da362c976e305b637dd2298097ccff0c286187d0040db0f2b6e4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe575dc0.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d6adb3e0093629d5776d02974b242d05

SHA1
cec267bbc06cd772298f03790c2e33f703b74321

SHA256
92faca10a49d99662e5501032b6385201d78f730c908964c3f1598fd25834c71

SHA512
8d67d326fe8996dd5ffd976c5e75abeb4cdf23cd2420fac3a1f92c137b70c778c5830a306b502e557fd0f1fa128a668be86af98b383859f0c8c60b76312c1564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b6443127642c4fcb4dff0481477a3a2f

SHA1
c352a1f0743be732f37db003f2fa92caeb096217

SHA256
2bdbd535c18b95457c59a563b9cb7158e852aff298e6103ba9ed37e34ec0b4bb

SHA512
b2b5f41d72d0f524ed615a95072dc91edb0f2ae258d861bc608c81c6bcdf8c8539c26c4e8a65821021d76cc2742bc1f69532edd2aa10ff3af2e1fa9cac0d8b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d54bbfd59057d4646ea796fa209b3cd

SHA1
b67ef6a619e99a9e65f48b1ac50759a13a1675f6

SHA256
4f12cb7adefe43b8a28e72184e2ad8cf65e0dbae4db83127ac67e285d2e97fa2

SHA512
59d4c9ffd2d73bb3521c888cf235ed300c3af432115a0f813881eb3efac49a61121819c5fbab99521a9a51ac377d88f048653a1f9e92f5c65f2d0557279ce220

Download Submit