Malware Analysis Report

2024-09-11 05:42

Sample ID 240630-pxxfnaxhma
Target http://
Tags
discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file http:// was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence

Manipulates Digital Signatures

Possible privilege escalation attempt

Drops file in Drivers directory

Modifies file permissions

Boot or Logon Autostart Execution: Print Processors

Drops file in System32 directory

Modifies termsrv.dll

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Print Processors
T1547.012
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Print Processors
T1547.012
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Remote Services
T1021
Remote Desktop Protocol
T1021.001
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-30 12:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 12:43

Reported

2024-06-30 12:49

Platform

win10v2004-20240508-en

Max time kernel

313s

Max time network

315s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\pnpmem.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rasacd.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\BthHfEnum.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mpsdrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\pciide.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\scfilter.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\cldflt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\cxwmbclass.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\ataport.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\umpass.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\usbehci.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\acpi.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\gpuenergydrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ksthunk.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ntfs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ramdisk.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\tdx.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\Dumpata.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\dmvsc.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\hidclass.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\intelide.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\vmstorfl.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\wof.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\pcmcia.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\condrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\cdrom.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\EhStorTcgDrv.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\modem.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\volsnap.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mshidkmdf.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ndis.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rteth.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\scmbus.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\FWPKCLNT.SYS C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\refsv1.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\usbprint.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\netbios.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rdbss.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\BtaMPM.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\serial.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\usbhub.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rdpdr.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rdpvideominiport.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\terminpt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\1394ohci.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\bthmodem.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\null.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\storqosflt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\UMDF\usbdr.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ataport.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\fvevol.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\mouclass.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\videoprt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\dumpsd.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\wudfpf.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mspqm.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rasl2tp.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\acpitime.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\mup.sys.mui C:\Windows\System32\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wintrust.dll C:\Windows\System32\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll C:\Windows\System32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\en-US\clip.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\ngckeyenum.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\SensorsCpl.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\pcl.sep C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\downlevel\api-ms-win-security-base-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\hidi2c.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\microsoft_bluetooth_a2dp_src.inf C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\Microsoft_Bluetooth_AvrcpTransport.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\fr-FR\BthpanContextHandler.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\HdcpHandler.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\uk-UA\SettingsHandlers_Geolocation.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wmerror.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DeviceMetadataRetrievalClient.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\xboxgip.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\iaLPSS2i_GPIO2_GLK.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\c_ucm.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\forfiles.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\vbscript.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.Types.ps1xml C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\es-ES\wkssvc.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\mimefilt.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\MSFT_UserResource.strings.psd1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\ipconfig.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\c_smrdisk.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\es-ES\lmhsvc.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\fr-FR\VaultCli.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wbem\WMIPICMP.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netathr10x.INF_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\es-ES\DeviceProperties.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\uk-UA\WSCollect.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wbem\en-US\NetTCPIP.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\mrinfo.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ja-jp\openfiles.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\BthLCPen.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\ChargeArbitration.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\eappgnui.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\es-ES\SrTasks.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\RpcEpMap.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\MixedReality.Broker.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\netutils.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\spp\tokens\skus\ENTERP~1\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DialogBlockingManager.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\mssmbios.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\es-ES\defragsvc.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\regsvr32.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ApplicationControlCSP.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WlanRadioManager.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\C_20278.NLS C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\de-DE\netbtugc.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\de-DE\runas.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\AuthFWGP.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\de-DE\ComputerDefaults.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\rhproxy.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\it-IT\cmlua.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Retail-4-pl-rtm.xrm-ms C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\uk-UA\sndvolsso.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterUso.Format.ps1xml C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM~1.LOG C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DragDropExperienceCommon.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\AcpiDev.inf_loc C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\fr-FR\rasmbmgr.dll.mui C:\Windows\System32\cmd.exe N/A

Modifies termsrv.dll

Description Indicator Process Target
File opened for modification C:\Windows\System32\termsrv.dll C:\Windows\System32\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 5048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3564 wrote to memory of 3240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa087846f8,0x7ffa08784708,0x7ffa08784718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"

C:\Windows\system32\takeown.exe

takeown C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\*

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ss.bat" "

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39f9055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 612a6c4247ef652299b376221c984213
SHA1 d306f3b16bde39708aa862aee372345feb559750
SHA256 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA512 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

\??\pipe\LOCAL\crashpad_3564_QMXROVLGOVFMKKGB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56641592f6e69f5f5fb06f2319384490
SHA1 6a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA256 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512 c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5948165f8ed59d3485398b8222f49939
SHA1 ec086106272a57f384240a870dafa62466035009
SHA256 023a895eddbad14f2918c45de8f1ede485749b0b3ef38fb147b7b1284d8b453b
SHA512 8930373458faa90431308642c0f54efce7f7c0131a2693d9b60c2af511c5787ea403255141540cd2e4691e589de56e7a670de5d58eee944bbd5da440fe124448

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f52042df80a15d8fa06e00264020a515
SHA1 6d58f7048341c1b99d1266902abcd76b42cf56ae
SHA256 b4831b6efeeeb441efaa5cd8aca334cc7e04665cf315da7b5e3caaeb99f96e20
SHA512 aa68f76e78b16b72d693bf258ded910f18bfcb51cc84c8b01c3834daf810e5d7b6a9c3ff698f166f4bbd371153afb885983c5b27517fb8589596f43756c7b732

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 43da7c92cb55983737642fadcee306d5
SHA1 07e99a5d64605619136b42498413096ef9d7b1a1
SHA256 4b5c52243cdc19319fbc9f66fa8d40c1f42bb39e77ffe6ad6289dc756175d514
SHA512 31f50f086ffcf1fa21d06bb394848ef4af2a8e534c468d48b008cb7e3dd004cec627d010f5206e2010821055178e1d56f347f9b017e43c63716da3b586287ae5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Desktop\ss.bat

MD5 3d11bc6b0fe2196c2188d0e05ad4d33e
SHA1 e231a665becff3938d428a3cead603fff36d5c29
SHA256 8848120f4bfc807f73eb8e8211ffd9c9c6fef06ca1369523795323f34da762b1
SHA512 42555f44a6c154d14d0a5a734769e36fa65694f700feea72d8f623a9a14dabbf33323bd1a45178ae5777a9f2d82119e7334013a2b0e550c601a6cc9bc052aa46

C:\Users\Admin\Desktop\ss.bat

MD5 67ce02841f86b07da1a983f24d5a0ee4
SHA1 a79fcc660b46cd80cf7aaac666c482ffb5b77a91
SHA256 35ade8238f00005ab089cda97210da573ae1408152ab8a3070f221e31a6e2b55
SHA512 1e111b854d201430a0de486b0c2db241931567b323a710a4297fd3c6df5bf2791dbc905766e133fef232c5c3e3345aff7526fa7492a16fc78be4eaf8a5411708

C:\Users\Admin\Desktop\ss.bat

MD5 16e25fa495c6a742f816929a5c8fbb77
SHA1 dd5e01c47b8ec5d0111375b109c6f76fce8f4a23
SHA256 58e201048a7b856a957fd9e5066208d094c70e804128b487ec98dfea0a10ff68
SHA512 8e1ea967211c67524f15d6ac8f7c8b6dd203c81a5ff990259a55bbdd624941f84ef9dbb7ce88708e2a277b8a21c9fb5cff1120677bc06ccbef432b9d17ddafdb

C:\Users\Admin\Desktop\ss.bat

MD5 64bdae31156537beb24e536b6224806b
SHA1 f728e44e3a84adb489c2afc68eb47333a312c9bd
SHA256 ad9bb313f91ed8b22a9ccfa24819dc6df7de69f71289b0720ac22f280086a988
SHA512 438006824b39b6e1367af2cbfdeb2ee308322913ff4929a8191f09beded9f4427b568034f48f286b4ba0bf9862bbf2affdc65c4fb7447f2b555164179b5fe12b