276fb9aaa5891fa085559bd168176203d14a1c97df09f05fd496fa060d79cb10

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImgBurn.exe
Size

2.7MB
MD5

9bb871708d51de6a6b72a47e569453fc
SHA1

ae7e7e1616f83425da8ebe5e23140417c7047e2e
SHA256

fa501963539ea9f70835d8d4f2004c8e0481127499e11c54959146746601b582
SHA512

4f250b48ff21eb0ef53e35f763bf1eda9bb35e1319560252e0c574728285d5a92b42dbaf1b05c8ace57af0aa1f849a9516b537ef73e9d43fe2b95597ab9421b7
SSDEEP

49152:pOn/RJc1sBKhC5cfSQNxA4P0vJ2m17LUFCiBWcwLGhrvoQ0rVTIQX5vzFt:pyYQQTdNxFoD1MFC6wL3Q0ZIQp

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/1592-0-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-2-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-3-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-4-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-5-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-6-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-7-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-8-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-9-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-10-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-11-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-12-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-13-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-14-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-15-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-16-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-17-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-18-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-20-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-21-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-22-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-23-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-24-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-25-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-26-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-27-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-28-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-29-0x0000000000400000-0x000000000109C000-memory.dmp	upx
behavioral18/memory/1592-86-0x0000000000400000-0x000000000109C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ImgBurn.exe
File opened (read-only)	\??\L:	ImgBurn.exe
File opened (read-only)	\??\S:	ImgBurn.exe
File opened (read-only)	\??\W:	ImgBurn.exe
File opened (read-only)	\??\D:	ImgBurn.exe
File opened (read-only)	\??\K:	ImgBurn.exe
File opened (read-only)	\??\M:	ImgBurn.exe
File opened (read-only)	\??\N:	ImgBurn.exe
File opened (read-only)	\??\Y:	ImgBurn.exe
File opened (read-only)	\??\O:	ImgBurn.exe
File opened (read-only)	\??\P:	ImgBurn.exe
File opened (read-only)	\??\R:	ImgBurn.exe
File opened (read-only)	\??\V:	ImgBurn.exe
File opened (read-only)	\??\A:	ImgBurn.exe
File opened (read-only)	\??\G:	ImgBurn.exe
File opened (read-only)	\??\H:	ImgBurn.exe
File opened (read-only)	\??\I:	ImgBurn.exe
File opened (read-only)	\??\U:	ImgBurn.exe
File opened (read-only)	\??\X:	ImgBurn.exe
File opened (read-only)	\??\Z:	ImgBurn.exe
File opened (read-only)	\??\B:	ImgBurn.exe
File opened (read-only)	\??\J:	ImgBurn.exe
File opened (read-only)	\??\Q:	ImgBurn.exe
File opened (read-only)	\??\T:	ImgBurn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	ImgBurn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	ImgBurn.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1592	ImgBurn.exe
1592	ImgBurn.exe
1592	ImgBurn.exe
1592	ImgBurn.exe
3324	msedge.exe
3324	msedge.exe
948	msedge.exe
948	msedge.exe
1760	identity_helper.exe
1760	identity_helper.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	ImgBurn.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1592	ImgBurn.exe
1592	ImgBurn.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1592	ImgBurn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 948	1592	ImgBurn.exe	83
PID 1592 wrote to memory of 948	1592	ImgBurn.exe	83
PID 948 wrote to memory of 3084	948	msedge.exe	84
PID 948 wrote to memory of 3084	948	msedge.exe	84
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 1408	948	msedge.exe	85
PID 948 wrote to memory of 3324	948	msedge.exe	86
PID 948 wrote to memory of 3324	948	msedge.exe	86
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87
PID 948 wrote to memory of 3004	948	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\ImgBurn.exe
"C:\Users\Admin\AppData\Local\Temp\ImgBurn.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.imgburn.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b85246f8,0x7ff9b8524708,0x7ff9b8524718
    3⤵
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
    3⤵
    PID:2148
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
    3⤵
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9321725726417603775,3440171412495712880,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4164 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
06b496d28461d5c01fc81bc2be6a9978

SHA1
36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

SHA256
e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

SHA512
6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de1d175f3af722d1feb1c205f4e92d1e

SHA1
019cf8527a9b94bd0b35418bf7be8348be5a1c39

SHA256
1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

SHA512
f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
19KB

MD5
39b7e0d992290c41da06068bfbfc7c77

SHA1
f6a4d0d93047d6cadf48b2bb752f89bc9bbf6806

SHA256
92d3d1073c33cb7ee8711bde6ac3c519b2b5f0044e5a2582aba96b14ccfef01d

SHA512
c67131ea3093c9863d3c7dffc37cf54d4b17bee7abae3fda9195535bb8a736ab19115fdd14591c7fd1966014891f9b140b8763695a80207756bf01c534388a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
a46aa261f4d3ead57df885a9b243c41c

SHA1
8f834d44d7b8befdd9a5eb8bbb754ca4d180a693

SHA256
38547609cb722f87c5b6c0ee4fb6b08c29be83e0e533b5d0128bd4a0181cec5f

SHA512
49292186431a2ed21944081030520d87cb328416878cb8749f3d245f948d8bb204d9e5443b89eb820cd97649722ab1952d677ff382b9059f8a7040db81cfbc8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cbb3bb63344ba43528d29bbd43bf9ca8

SHA1
8bba6f10edb3043c213567b4a545a396779124c6

SHA256
6288371d0138d644617a0439fc6c8a71006fd14510bae3f1f822ce1bd39b670c

SHA512
e2cf924cce1e505df745a20b58b8408707ee3a69077e988db66a33ddac50349790cf65208cf270069f57ab1d951aebe8a1fad0ac9a71d2c612b7832be0299f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49490e87f0fa1f6fc730a0b61007b867

SHA1
5617f05b04cd1fee99636eb84d38cac275f153ce

SHA256
2b7aae514ff2d8f65534164579c23cf789ed6ccec8ff64e96bacf5b9a8f60fdd

SHA512
1f30d051d0f7ca1a0761a356457f01ab2954ad4022581bb0a81f612e6723eaca94861bc4be151ac4b30ca25f17e0bf95df8405283a77a254e9a04220f60f787d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f8696bd2-1953-4fad-900a-331e1f42bf22.tmp

Filesize
6KB

MD5
6681522d6c46343388094e30d059531c

SHA1
3f9035f33c16988e1507fa58cb11a7e5ca5a8f10

SHA256
a9ac7b2fc59812c39e44645124cc0a4bcd0edace93c8c8abdbd281f14f641e87

SHA512
0acb764045357f77c3431666e67cd2230e3b12a4eca916aefde4cedb54f80417000ede38c0fcd165f56d89b079734abe38f0219b9750e219a19d498639a5fc6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5619465643786537eb13cf73934d26ff

SHA1
23517d0e5b669568693ceccdd6d21e7933782a4a

SHA256
56f9989989683a6217db5427a8282ccc79753ffbcda681197779e57406023384

SHA512
c4dc0c4fc40265fc994b9c8cae5a9c40e578d1397f5d400231642d3ff1581fb0b22b6afaa2e64c1ea681ac5ea8f6979250e17fc7dd0f0e789c9a356f09c117e5

Download Submit
memory/1592-10-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-27-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-13-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-14-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-15-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-16-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-17-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-18-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-20-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-21-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-22-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-23-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-24-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-25-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-26-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-12-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-28-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-29-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-11-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-0-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-9-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-8-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-86-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-7-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-6-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-5-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-4-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-3-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-2-0x0000000000400000-0x000000000109C000-memory.dmp

Filesize
12.6MB

Download
memory/1592-1-0x0000000000A72000-0x0000000000A73000-memory.dmp

Filesize
4KB

Download