01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25/06/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
Size

894KB
MD5

42f470b548862d152067fc247219e28a
SHA1

0e1a46928237bc07a581118190e095ac0271284c
SHA256

01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f
SHA512

3e184adc87fe449cc7a3b0dd9ae63fec0033d71bcdcea00aa5cad454d7d13b10cea4d5a4fcc7d765a08275d148be8e2b0f58025fa04f6476fada7c050de7ed37
SSDEEP

12288:iqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tf:iqDEvCTbMWu7rQYlBQcBiT6rprG8aAf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
4496	msedge.exe
4496	msedge.exe
4296	msedge.exe
4296	msedge.exe
1016	msedge.exe
1016	msedge.exe
4732	msedge.exe
4732	msedge.exe
112	identity_helper.exe
112	identity_helper.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4496	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	80
PID 2864 wrote to memory of 4496	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	80
PID 4496 wrote to memory of 4692	4496	msedge.exe	83
PID 4496 wrote to memory of 4692	4496	msedge.exe	83
PID 2864 wrote to memory of 2720	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	84
PID 2864 wrote to memory of 2720	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	84
PID 2720 wrote to memory of 4584	2720	msedge.exe	85
PID 2720 wrote to memory of 4584	2720	msedge.exe	85
PID 2864 wrote to memory of 424	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	86
PID 2864 wrote to memory of 424	2864	01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe	86
PID 424 wrote to memory of 3184	424	msedge.exe	87
PID 424 wrote to memory of 3184	424	msedge.exe	87
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1548	4496	msedge.exe	88
PID 4496 wrote to memory of 1500	4496	msedge.exe	89
PID 4496 wrote to memory of 1500	4496	msedge.exe	89
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90
PID 4496 wrote to memory of 2412	4496	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe
"C:\Users\Admin\AppData\Local\Temp\01874e76c909a5061628a94e1a6a5c9286a8b2615f395e2bfba75d83e13ae21f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f1c3cb8,0x7fff8f1c3cc8,0x7fff8f1c3cd8
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
    3⤵
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,533432503119746044,16157969045503493487,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1776 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8f1c3cb8,0x7fff8f1c3cc8,0x7fff8f1c3cd8
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1736,1536092974693551736,5069654412743970816,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,1536092974693551736,5069654412743970816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f1c3cb8,0x7fff8f1c3cc8,0x7fff8f1c3cd8
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,12344633891010866096,1312322481200634892,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
    3⤵
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,12344633891010866096,1312322481200634892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bbfb66ff6f5e565ac00d12dbb0f4113d

SHA1
8ee31313329123750487278afb3192d106752f17

SHA256
165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

SHA512
8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9a91b6dd57fc9c4880d34e9e7c6b760f

SHA1
77a09da6ef4343a8b232386e000cd2d6b9fc30a3

SHA256
0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

SHA512
9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
1e74c62979cfeb305dcb4d3848bc9823

SHA1
27b06b507518e3164dfc389ed48ee7efff6d8aaf

SHA256
41864c072a8be1d4bc8f8189e4e8d1a8279912cb4920276250d8e5b7ff101038

SHA512
82b7ce6e90b64b54bda83607cce87ba5e671812107fdb252d4297ef5c70884cc60e13ccb233558f89afabadc47288755744d96f7f085ca88723f18fe21cf4d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
63e139fade55ee2fb8b2df3a47d1fe6d

SHA1
1cbac5a1e73f67e9ce13c88d165bed6978d2f517

SHA256
8ffa82856d525e2182cec19d0c92bbd6ad14d73d30aa15112a12c81f4fd9058d

SHA512
1d68c7fb0ffa1f9169ef5cfa3df39897fda06d1a34fb44805cf8c7a7673f6c8e510daceadd49c39585bb60e12f707ec2cd95de67429d42b4634271b528332439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
68cab091ca995d7b09ede3db0c0e6571

SHA1
b0626365abb10536ab081d9809a0dc98ade10e69

SHA256
3c1f9929f71b143b3f70e270058d5654824c8abb315f03870d182201a656dc4a

SHA512
81a8e71b7f89d047d486333f55d9084605299598b6bd7eccf8dc8818f0a6166d7fbf066ca24e5b7a7a094621408f118a74d8286a3545d1ea405a7accfe100dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34709512135314805a1f5ddeb33531b4

SHA1
20b1841cedf2d359b8387389b1e4899daeb3c8c0

SHA256
251102f48e20190f3ae844594aa3c80b94a17468f1bd2684ea94eeb2b9c64e65

SHA512
d41d8863b85996a6705a997f070d075f3e9b17e3e4b08dcf79c62843e42769d4afb67665600f2f07f18c96d8681892f7b048e2bd58ed06b18cdcc4a73a26ea16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
223b92a4794e9809bd3fcc3f0908b8dd

SHA1
75e351aa4a9241fa7f713cff8b2867e0d3a42c1f

SHA256
fcf8cf99c6a10c579a1a3a70593f57f1264a120261f6ebc6b5ad11fdde1ea1c3

SHA512
c72123c2171aa10265237aebeca168cacc11ed3c860fe5be03f9bcbf7b03c6a9fbd6b69e2bceb1b283ac65a151476517ea2a7122351017ce1d681d18c5aeee23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
4f8441070218cab8242c2ac17f7f8823

SHA1
2cb3d0a838a823fc88a43181b2e932a50c8dda59

SHA256
6a7561079e76777ab853e912c60ce7cee0869ba1a0a6a4a6b4b3353ae36a7612

SHA512
607071696d338b50cea72171f09da0c48928517315943511a709acc19674ac2b50a58763c011b7eda2d26ff2af2d04cb749fc214beb1bc009115f2fb561f8e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
54ccd67284bd4cceebbd078115a0e355

SHA1
e540a147b5322d05ed029af965eb333476768c1f

SHA256
aad52ead410a0b4a90dae83d5c38d36ccce33e5f5cefc1af6dfb002f7726a719

SHA512
5757d7f77b4fd8043d0f8c446f6146255ed631e1a1506ab0913cf5fcd859720ea96199e45c4529ea56ec95b8b317c96dbe6ea955110ed170144e050304217863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
056811f1138f4888fad7041b0ba909c4

SHA1
39f77a833e53eb20630ec17f31b314ffd32eebfe

SHA256
935b29b358c29cc8254e19c5a70cf9d7542e4b9b805065408e3d98a92dff824f

SHA512
0638d405cf84e1910fe01ebd7ce4f93c1783fd2868c715ef2323b31d7bf7129bd14b6b8484b81630c84501a0068a038e65031337974f168964375fd618f6f21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
b38192c31eb57612a11122249f37aa30

SHA1
260f89baa900ede8e2de0cbfbcc2ffed54c7b39f

SHA256
fafb26a06f4b86e26766a09716992f3a6ec4b90315dc9d38d14d9ccf2f73136b

SHA512
d08d0fe15424bc9e13b25d718636702bc68e7146f81cdf0eabf023b54c03c6bfd483d18b63aa796d033dc7f15114e28dafbb85531ea2ec77e91cde957c6e1cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a827.TMP

Filesize
707B

MD5
6d74ea67f84e8fa52c35c87baf008c8d

SHA1
ab19ea7e2eec5c4b081223869f84c74c2e4b2aa7

SHA256
0e284dcc362da804c2105c980e0d7595ac44b6fdda3fd166c7136ec7786586a0

SHA512
4349047483d995bac45ed06e129d519087612087ea407a5d83f6c90d8a8825042ce07d73c40aebc23c8223c11aa7cb7737183218a6e38f1d2e962cab26ac6dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4ed07ae2026c0ad44233064fd6d34d04

SHA1
18f18060e56b6c46ad3354cf05e863705e136384

SHA256
b898b9be685712493a5fc48b28bc7eded62d9cee4d1d8a5ca0fb7537f88959ea

SHA512
0ed0f6cde3d4a275a51715d9112aba2f4597a4551c6f4c916399629fadc16cf62f8299ea74381c185a33aa88af01978314e12d44ef0052bfac3d0475c7ba7928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07f38acef79c006cc2526b6671869e77

SHA1
887eb1df007f7087346c6758b4ed41ec97b9f00d

SHA256
00e63b3a03a1e2af3be6aab46a552b1e24c4c3447d389540cb79336a94a01bc4

SHA512
998a09c734aa75fde6999274d71edc601148c250d81b261a747fbbc2350dd321f12cd59739135e5376feee840a6efd1482eb074c96bd4603b01217daa7329b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
61514c49c4aa6e27341b8a269a20aec7

SHA1
3e0afc43bd5bcb644173a84f0d62c70bbe30d465

SHA256
2858460618c65f6b87b78d547a247684f64b7e4ba7291070627efbcb55e2c6ee

SHA512
8c4689d2465d3e531c158b045cfbb52ac59b8708f4ece59038d21d41e27a66a1555d1ed6de45d0f39bc27cf072f5ae6419d66b06311efa98d3942feb3257f3c2

Download Submit