894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
Size

894KB
MD5

da75c1f0bf894623c9692d4379af3ade
SHA1

ba3d713c72973f4e685fefb642ea9ec2e20a642a
SHA256

894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca
SHA512

5b29c770b581ba213eca9577a9ef33d2bfbc8c2a9d39e9a1dee98f4e07ed545d3467bc5731ae4b36879e531387aa9bde84e8cb6d34ecce8db7288f01eaeeec59
SSDEEP

12288:YqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tx:YqDEvCTbMWu7rQYlBQcBiT6rprG8aAx

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
1276	msedge.exe
1276	msedge.exe
1392	msedge.exe
1392	msedge.exe
948	identity_helper.exe
948	identity_helper.exe
2308	msedge.exe
2308	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1392	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	77
PID 4472 wrote to memory of 1392	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	77
PID 1392 wrote to memory of 1116	1392	msedge.exe	80
PID 1392 wrote to memory of 1116	1392	msedge.exe	80
PID 4472 wrote to memory of 1588	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	81
PID 4472 wrote to memory of 1588	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	81
PID 1588 wrote to memory of 2280	1588	msedge.exe	82
PID 1588 wrote to memory of 2280	1588	msedge.exe	82
PID 4472 wrote to memory of 2072	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	83
PID 4472 wrote to memory of 2072	4472	894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe	83
PID 2072 wrote to memory of 5000	2072	msedge.exe	84
PID 2072 wrote to memory of 5000	2072	msedge.exe	84
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 3168	1392	msedge.exe	85
PID 1392 wrote to memory of 5064	1392	msedge.exe	86
PID 1392 wrote to memory of 5064	1392	msedge.exe	86
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87
PID 1392 wrote to memory of 3880	1392	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe
"C:\Users\Admin\AppData\Local\Temp\894f50b9232689e32c941f6ffa57d18875c5c263b22a6790c3dc6a4ef77698ca.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42823cb8,0x7ffd42823cc8,0x7ffd42823cd8
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:3168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
    3⤵
    PID:724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7191927149168117758,11892063304002019775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6028 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42823cb8,0x7ffd42823cc8,0x7ffd42823cd8
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13613414892794577800,1707982254196479268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,13613414892794577800,1707982254196479268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42823cb8,0x7ffd42823cc8,0x7ffd42823cd8
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,3336934687202052337,7750923230539578074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
    3⤵
    PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c4605aed5013f25a162a5054965829c

SHA1
4cec67cbc5ec1139df172dbc7a51fe38943360cf

SHA256
5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f

SHA512
bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3066a8b5ee69aa68f709bdfbb468b242

SHA1
a591d71a96bf512bd2cfe17233f368e48790a401

SHA256
76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434

SHA512
ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
352212ba557004685e6e8261115b7e6f

SHA1
7cf73036e493774301f15dc4eac2b97c4445f769

SHA256
091fa0d3efdd3586a3cc3d6bcc608f80a44e4909c57172ef75b84153b9a699ec

SHA512
433c6df8233a350c5dbaa0eeebbd00575ec253a5d84ff7c9d8b230e0fe26712b6c90ad004e112bd1b0867bd516bbb4463212f91709451de92208b836f8317a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d640ef72b434ad1acf0e16420aa26515

SHA1
ca692d810a4006922af79cbd46456456787e5961

SHA256
36baec387e1fbb1e050d1adb10525306b82d65310447e30ad5cfc73fcd10bb68

SHA512
bba5dc1eca4588006abbd8f0a7d5b38f0d6cee29fa2f5c8c186f8b5db4741deb2af0e78c566d8fc9debda42b3261e90d1ce16c62d4d642f1caf925eef6f16dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
05704c5ab801469180ac737b704de1a8

SHA1
f912517ddd513e9420f8c566998a6805958e2f51

SHA256
421f15269beb0221b2aa2badc161cc5bfd395a77d8d87aa2a04675884a2d6039

SHA512
d5eb586bfebd7cb7c3e75e4d5b5203f18ede69258ff0e1a29e583f57dcaef9c75449e90d6b45e722c567ab6118b5c7df226fd04bf625c38a460bdabaf0af2c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f6196663324e2467b8c43cf639abc648

SHA1
59bdefe3da1946ab74f3771d977d9279e4b3bfd5

SHA256
cc9778b8fe9a160c8413cc55ee8bc3d74c0434387a60f0eb5af47a224bdd986c

SHA512
114f27bdb3983841d5f67a28f6139569a1087f02a57caf40d8a17a61916fbf223b5bf3343c83c73917cbb5746a855ce84e875f98f2f0910bdcae2af161735f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f69323965ef6c96f5b648b0b99cc43da

SHA1
4c79d4097a00820588a8c4d6a9b09b5ea488c692

SHA256
74b56ec0a13cbc35382b780b3e877c2a19369017b5ecf11db9d1b09280392cba

SHA512
b80cd3608a42f8874b0f943943ef430fe487d276430ef8b56bd2b6bc04021ffa5208f17a4f2b59bea0243dccef6d23d82a472a9b76224487fd046c4aca9194b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
4c05f56797f169b0c7d79b387ac18ff9

SHA1
388e653e76ed6d95f182abc5454adb9e83ad0055

SHA256
5d2f469c7fba0c0fd81606fd3cc88e0dbb98b20e145c6d7b1e30f741f9029891

SHA512
0f54b1c07b3ee298f829ea9fbe63590da7a46dc555a27935a2a72feadf8c2aeda79dfac39d5c2d9c44855df54da8588dec7bf2d1f4e05fd9af883c38954fe483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
f4ef91be53ba2497224040898356f094

SHA1
5a46ab283274ba725d48de56ffebd1046e5c45cf

SHA256
0e4b657c306903cb0a1c2124eb41937e1021dcfe9d53982058a208fcdc1d97dd

SHA512
9c473c110ac02708838b2c625f68002b917147ecb8916c3968336150fe66f8d6cbafd91b4ee16178abe049eaedab296654ff880cdcf7c2e86fc8e3cd3c04a023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
8258d07a48cd88f29813e6277a20439b

SHA1
24fb4b912c274a02cfe7b11a53ec0026319f2cb7

SHA256
48e1d31a919e11eee1406dda2ab021422f47a8886286a83167fe1fcdf09a8d2d

SHA512
7006c7cf4aa01509bd064d8a093d73383d752bd8e8b43efa4ee1a968b77bb6232ed245d0151fd996bfa07031e364c9aa258e03c1bb8f192369de3275fa2e2aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
d4bbc46425f6b6b4783e5d6dc0658b27

SHA1
5d21739151a38798a20c41fbd3d3a9d318d01252

SHA256
be012fd53eca8a278c8d266b79e0ea2f36b25043f12ccd76371032bd290734b4

SHA512
9d866727ab3b8b263d846b831b1ae76359c1d97097937baf9a80599b6c59fd26072f78ac04fcfbbd9ce442b33baa5cee1960264491583fbaf514921a589755b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
35efe06ed976879ec285f59915864cb5

SHA1
bcb677f4314f085c7962e1534ea7197f28a6d90a

SHA256
67334b3fb278de4435ad2293b48dabdfbd540b36461bd2961e8ee3538d4a6ce0

SHA512
147ccc2d6269c80b466358c1d3b9f93656dde91769a20079408151fb7da71d6b775cd874ecff57fd8ad1a14912391c8fe9a0027dffcb4cec1683d5baeaebbbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c45d5384a8f636e6665e3821e85e1a82

SHA1
ba8b7a35db551e10064c2584440396f0d12eeeed

SHA256
6c4154af7d2e015a179ff30b319ebaf79708b08555e475a34d1ba01d71ce6766

SHA512
2f44dea44424e364461a18397b51748dbefbc75cce9c2d77854c323329af40b192d191db984bd57610a7db047e6ff06ff51a648be5ef4a29e5cd0633e595c326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f04ea0e9be9aa6216ccc9136013b0a33

SHA1
d5f0b1863a126b96365c99b912c664654bc48f07

SHA256
c0a670ee424e43351445f4ffcd6f5394f6191fd53dba8394776668ae2edb48e1

SHA512
7f1ba3fd8881e76fa79fd5525c776ad662da2a6fdc8a7b502946acef4ed09fefc2376de2896688367bdebe6644b173f9dd1c62c58fac4076c95dfc10becaa4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
67307e77dfe2f7e26807b77465bc3175

SHA1
8219355c877d58c0c4ef7b407916c9c7bd4380e3

SHA256
f355faf0ea3af8bbc0e28ecfea13d6e82c321fe748bb4b5a48c75a50877c5209

SHA512
b66ead590cea161e3cd787940480c815892ca99767944a0eea4f4a85573032c5ee372c400c26b04e312aa602143a2b3c02e387b05a5486aaaa83d73cf2d681b3

Download Submit