ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01/07/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
Size

894KB
MD5

bba43b11674959e041aa7dae847e30e9
SHA1

4d9f2a810074fba6b3807abcb3757795b7be2349
SHA256

ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6
SHA512

dd959f5aaf54737ad2a3dca2aa0ed94d7ff96c13b52511271770e6f7406fdfff71c9b1d1d49092c33dc9c92b01bff3db75c912522d050ef56f5eae24d2b4363b
SSDEEP

12288:KqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaMTV:KqDEvCTbMWu7rQYlBQcBiT6rprG8acV

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
568	msedge.exe
568	msedge.exe
4540	msedge.exe
4540	msedge.exe
3196	msedge.exe
3196	msedge.exe
3344	msedge.exe
3344	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4540	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	79
PID 244 wrote to memory of 4540	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	79
PID 4540 wrote to memory of 3512	4540	msedge.exe	82
PID 4540 wrote to memory of 3512	4540	msedge.exe	82
PID 244 wrote to memory of 4616	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	83
PID 244 wrote to memory of 4616	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	83
PID 4616 wrote to memory of 4032	4616	msedge.exe	84
PID 4616 wrote to memory of 4032	4616	msedge.exe	84
PID 244 wrote to memory of 756	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	85
PID 244 wrote to memory of 756	244	ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe	85
PID 756 wrote to memory of 1504	756	msedge.exe	86
PID 756 wrote to memory of 1504	756	msedge.exe	86
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1092	4540	msedge.exe	87
PID 4540 wrote to memory of 1328	4540	msedge.exe	88
PID 4540 wrote to memory of 1328	4540	msedge.exe	88
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89
PID 4540 wrote to memory of 4548	4540	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe
"C:\Users\Admin\AppData\Local\Temp\ff687b27c6fd59ada7b564af918420662e78635a591298960e1518cfd42b80f6.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a5f23cb8,0x7ff9a5f23cc8,0x7ff9a5f23cd8
    3⤵
    PID:3512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:3752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
    3⤵
    PID:3568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
    3⤵
    PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:1712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,2848383688123594457,1832743695123417187,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3628 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a5f23cb8,0x7ff9a5f23cc8,0x7ff9a5f23cd8
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14076150310647878113,13634072546151893384,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14076150310647878113,13634072546151893384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a5f23cb8,0x7ff9a5f23cc8,0x7ff9a5f23cd8
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,6011880188169638898,6017294694046919102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
39c4d9a156cb68a2073c9fffabcab554

SHA1
70a3cf56b55eb7970557ae48d0f4ea95cdb3be21

SHA256
77f0a17ed42513b552c4c905798aa3921064b65e7b034711938dc3acd66526ae

SHA512
b5fd8db039c79f7ccc3050249f20286da19025c591cde3892fa275e329495e60a9c4f7b623a0e5be7ed4f5317f81ad46e398aab91cfaf3ee93f88a538bd9bcd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
81eb7bdd156201f513464bbd8863b781

SHA1
42176ca44e80697ebc1e8b8f84bb00c5870cd0aa

SHA256
07fce0fe04e45f3bf5d049bc3e90ec8c022ba6c65fb6c190a712cf3407892bea

SHA512
aef98580eb991f23813aebef46f842c2472d5c841e7ac47225781ae7cc825510fca435ba739804ecb28832cb601f569ef4d4df7994baad81dea973df7e7e548e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7b3f7060cb00a7636d66635c30c591a3

SHA1
2f081586dabf76fdd35f215041d8cfeae39e5e4f

SHA256
44e3f9d443e48f82f5ecdcf6e56fe9a3f9ff35d64b40e69569648343124f3eda

SHA512
fc9b4183d58dbda92c94d69eafeedf9942aa0001c271eb90326cd951e5f8fe4cfd6417b9b15ae883b0294f79ef13781223bf7e662a2da63dac30484ceee2f077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a98f21d98f7372e2858c0d30ae81355d

SHA1
3e75d51d36e6925d7b60393989b2826f37146421

SHA256
2e39b953155e3cd71bc2e0bc649a1cb384067fd44d02ec64bcd6c6579cdecccc

SHA512
99a7f5c9fbef03067ac930cd85a6e63544447ae076c4d25db79f35f39198a47423179f165f4fc162aae543e321a64b27ed2dac34479adcef154dfe4b2606c59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1423d67827242160b119a5eeb983df6b

SHA1
4fd594813a35ca84a9f1c879509e632adc17174a

SHA256
69abc59db810a37801a8f3c12f6d3584587bd6dde2df2c2c0c29e09563a2be41

SHA512
c5faf7d471956bed0941f4a3b7f9d2d7d8cf6114fca1b46d19f536b1c214ac164d00c474a003e12a6dc67ae0c0eb7404c5e73aa8d7c1dff20854ef7f8ce321ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
c07204fea4e2f9803c75938f46331d81

SHA1
372d2bc241c5cabee1e8ebd2a1c33a95bbe16d31

SHA256
9806c69f6367c7699117d83d64e8dfa6359b3a1cd3d4a9bff9edbaee9acf69f4

SHA512
04ae600c1989262a4ce96a5ead017f3f0099ad27e1784feb07b86990ba65f47b858233314e8c2d81d333aa5da00afc5d38fa178d63a29e55dd9475d67ebdd363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a33ebea8c65086edaff28598577870a5

SHA1
27dd866973d6eb6a42882a12472444cfdbc351ba

SHA256
7ae4c5b90ff277457bc88dcfcf420fe3dc7ddfc3ef2b6fe1663091b95189a290

SHA512
e1c6eceb71deabbe456edc61b6ca70163ef4696af2a85eedc6d5ddbe721072f08e31e3eba12bba203b4d0a1e05a123cbbbab3ba209db093ec1ba3c039cdbdeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
f17c0a738ccf3ede078f39294d7cadf7

SHA1
e5c6d5a3b4eeb62e8ab12f2a1e96afa002464255

SHA256
0a61981d247c5ba68cee06b8503d32e23b9236888364a154fc00448bbfdfb10e

SHA512
c2bdfd5f4e638327e53a6233a7d6bbd1c1ef6fe9f9f3edf4dbfd147e2a8794595bc1a5fbbd64f5c7f80c43a4fe72895e0a514ba68b4db553b12b3b252a958245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
a4af3635ef6cff706ea6b64ed1c569b0

SHA1
239d8a449f2c6531cbc9a6bd1c9fc92ea5685b75

SHA256
c5f7ef6e5a007edc6910c5b92225a5cbd6d3242335d3c18971243bf7ed518f12

SHA512
9372b4a210c5050ef8b0b256f4b910b1867a715eb802a9322b64d73343914f97866db71abfa5da9387b71d51390ead4412f420e7f8821cb26fa4df81a725bbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ccc6.TMP

Filesize
707B

MD5
7df6aef9b807fbc99616b9d9f3941da3

SHA1
29e4c998a27db08522d2c723652f460a2c79eff3

SHA256
d7444402019cb94e7d54ed786b52f56d515b2d713b3c02b5126e819d78a1c3bc

SHA512
b1b0ad5229d6c6617b66d8e36b95d3a78cf260f7eb753be036de943cc2ddfc9525ed7a3b2a6af749bc98b1964208836ec29e93d144332832628e81e08f647593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
62bcd61b3c56ea3c081946cad6be359e

SHA1
545f802cc4c4d921b4e0295e7e1b2c17c9291b84

SHA256
583d9aa403b1efa2628ec0feb41630811e802ca0c61a78af1719f75e3b3de819

SHA512
9e84ae35c99c0f8042e664a5611b451720387d208c7d8a41a1cfd8640b4ea9bd441df81c8bdaf44fa4de6b68e8ad6d84a0c4267de35e0495772f8fb1336da4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
40302cdc7e5594b0e926fd8c973c205c

SHA1
cacb76b22958f8ca9ad1448679bbc80b4d642a2c

SHA256
f79927adc00e265ddbd36106adc0175ddc2ec78faa5def7b04e32feb9527e84a

SHA512
64191295248459dbeb2c678db5b1b415b810b8af3d0fbe73ff31af95a9fbd211e6c414cc7d3986c4b7f3e0add60a7dcb146d41cdf34fc24aec134a36d27c3fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92aadd32107bae5d5a207287374c4471

SHA1
2671ea24084e4a03638b1d94fcbcfcd47728b35f

SHA256
ba7d798dd087ce517f4c1b255938cc331e5f3d12e4a2279937ea2b0a921234e9

SHA512
857dc02db571e533123d951fc76bb43c5fd07892842f7f16063d079af6686a34a08821c1cf1d02f36a8db122c1486db10d1e8bda3a3cefbe81ff30c73a46295a

Download Submit