f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
Size

894KB
MD5

77fc27026206527998d14e096525bff8
SHA1

109bf55da2f801b1cbef708a80f1e80cf82b9d23
SHA256

f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a
SHA512

d1440ba530fbcfb4530abdefa4b5a962da454cd6511e48b0a3fcec70f2b8df6cc63b7ba9ec18339ece3805bff760de488e69fbd7794222254f8e2d7fc99ef944
SSDEEP

12288:xqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4Tv:xqDEvCTbMWu7rQYlBQcBiT6rprG8aAv

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
1064	msedge.exe
1064	msedge.exe
4048	msedge.exe
4048	msedge.exe
4428	msedge.exe
4428	msedge.exe
5468	identity_helper.exe
5468	identity_helper.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2584	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	86
PID 1612 wrote to memory of 2584	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	86
PID 2584 wrote to memory of 2896	2584	msedge.exe	88
PID 2584 wrote to memory of 2896	2584	msedge.exe	88
PID 1612 wrote to memory of 4048	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	89
PID 1612 wrote to memory of 4048	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	89
PID 4048 wrote to memory of 2712	4048	msedge.exe	90
PID 4048 wrote to memory of 2712	4048	msedge.exe	90
PID 1612 wrote to memory of 2884	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	91
PID 1612 wrote to memory of 2884	1612	f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe	91
PID 2884 wrote to memory of 4792	2884	msedge.exe	92
PID 2884 wrote to memory of 4792	2884	msedge.exe	92
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 4240	4048	msedge.exe	93
PID 4048 wrote to memory of 2724	4048	msedge.exe	94
PID 4048 wrote to memory of 2724	4048	msedge.exe	94
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95
PID 4048 wrote to memory of 2096	4048	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe
"C:\Users\Admin\AppData\Local\Temp\f4172df79744df95700e3afd0bf2635b2910cce9006c85e5d89278228200280a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc5ba146f8,0x7ffc5ba14708,0x7ffc5ba14718
    3⤵
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,2437654356892515319,16360773068519367097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,2437654356892515319,16360773068519367097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc5ba146f8,0x7ffc5ba14708,0x7ffc5ba14718
    3⤵
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
    3⤵
    PID:1712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
    3⤵
    PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:5552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3096497530238085007,6352155762440982401,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3104 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5ba146f8,0x7ffc5ba14708,0x7ffc5ba14718
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9045000610265406097,2714606241070607976,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9045000610265406097,2714606241070607976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
06b496d28461d5c01fc81bc2be6a9978

SHA1
36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

SHA256
e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

SHA512
6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de1d175f3af722d1feb1c205f4e92d1e

SHA1
019cf8527a9b94bd0b35418bf7be8348be5a1c39

SHA256
1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

SHA512
f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
07b1f8e633265608874071b2267f71aa

SHA1
d2ab50e4edd86b9993b13bf2c88ec2447cc16e2e

SHA256
d5379eeac7487d9ba000d78a3ce46090366a782b2bc99da73341295241de0b41

SHA512
41dc0f1b96180632b2df37064a4c357a21ab85c7905f5bbef1fe6f37dbd5954c945ce810760289802138c6da3b8892f3c78facc8626602819ac3e017617625fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
59c2098270a07d5ecd3252e9a1fa17a6

SHA1
4a006bcfaed43654ff2e82b1aa25adc8efc1bf27

SHA256
d016730a0babe1669db7a51534774dc0bcf4d955145e35d4af1a6ee8a2950733

SHA512
fc2466cbc184808050c063b5e8eaf01e09264bf07a0bb10965c85ca3b7d28a79f5f01e2733a55c05f117e3654c6e5926e04cb293e652f687e7f77204d06c1508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
75cf3a065144c602eb2fa004a568d09c

SHA1
fd5f34f23f686dc77c682b0dd3b90094462ce65e

SHA256
31d54f5b52dba0b0a993b8163fdc730763f3e7c9072cc34d8b6d5958a6282b8f

SHA512
9aeb653ea75ba98c2b02195f5e72c4a843a60544ebe2e6d6cfa70581707049d980f6f3eb26c961994126a7ad25a7b46a98c47aee382a4e9e52bd3629d8452f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a49795a6a44c2b3bd4c2432eb7f974ab

SHA1
f2f297ebea8ce242336acaa1b0f50fc971dfcdb3

SHA256
88ccf27d516eac8813a27d80fc4e5872b20c41f337617f16955534a7387c5d27

SHA512
9f250947f7012b10616797cd68dc261093257b0b0c7c3749f9102ebe19dcabf8639cb697c1375e05226ac7a01b5942646e7d5576ac36650432cb5c80dde77ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1a6c57ae6c56a5bdd8547d3909416a81

SHA1
5b06fc70e221143c725fd40abf6ec7f57271eca9

SHA256
0366ccd18f78c578b22179b7c6f3560a1a31dc95caa877d13560eda123143f12

SHA512
0b202cb7c94aa71188554bdfe22ccf1daa2245ca2acc8ef47716651af546c1fe0e762dcb647bd4cf68b8d4c66d9486321997757c96265b27e2147a690530dbf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
da0ecd38557dc0cead7c8da2a48d46e1

SHA1
321f62cd3a265574e614c0f576d5268a3ee61fee

SHA256
7754e16763eba0f7d12e13c426ff8b7b498b2c982a71bd555fa3ab630fbff414

SHA512
77e1f9f0aab3f08540fe6c00dd95024d6620e8550d87d4e48836ad3084014837c0d96c1db262e6b23b52b24ae8b85f23ff7a431ed95e656f56f2d9d725c90bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
edad4226aa5f34e1f1eef4a9b836ad8d

SHA1
78cc5b9398516c612c295b57c37643a4a845812f

SHA256
0217a86542de36f3fe04cfe4642d5002a6a99f58023ad24a172afc9b94dceeed

SHA512
9ef5a8ee7b8a20f1a5b1cee488b5abf728291bb6527f2e92df0a46e5f5e1ce3da53e1816c99592457ac5771456a38cf9b902ddb63ef441d5b4c80da796d1ed90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
20c2767945f5576c0295047d7b6d2a3b

SHA1
71f1f1ffcb1a97f53f00653e15ea8f5b919f0bbf

SHA256
c1c361af83a5d330dd4573fad33c0a738b741dfe1ad19367d75781d7917a821c

SHA512
8b5e1d6de406aabe6946ecaead1fe7f148f884628da888f00902fc3607100479590ab4b0cda4091bef477e63184fe1b96bcfa63c8d172e292d9f7c5d69aca284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
fe6b2bb2bb369371d2bd5b369af28d48

SHA1
0d90d9c06c6c4408c7f22ae1970f9c2415fe1a39

SHA256
91fa015ad9c732b7270ce21351cfe8784263f7b84900e4ecb47221a73238ccc0

SHA512
96740408c3f3b646228ee0fde917792596bfb3b3c34fc53d63165b0207babc4fe941d1f324e763bf1551bdf429fe0af17c17f3491c1ea3bc394dff99d28a9473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
77c1d69ee4a98277ba25ef4a8ce1591d

SHA1
eab74c66b079fe08ec7549f749fcb7aadc614454

SHA256
c7a7c06831b7ffbe9eedcbc57530ca8b5c363af260b08d0c46564b41e5a7b3c7

SHA512
40a628d6ebaccf0ef0ec0f22df521d70f04347ed952294e0991aed1e4e9d75506d7c7171a3bfd52016a1b8067798e0837f8a4ca6d5af80f187e4d85b9c8c7b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588e60.TMP

Filesize
707B

MD5
2a842024326a85e10ede4db991a3b6a0

SHA1
812df20da9a8b2da705ca15f41e1f559168f89e1

SHA256
8f9cb29ed786ee0c1c295cc0f890d5d1f9a01215dbaad5221a62b6346e195085

SHA512
b1ae6ca51891ec3f583387e819c403d9c8ae2f403a36056a029479819db7fd5e5328a8cdd18404cc751d716eba1b83421af6e8de6bed0474249e004e65327a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
dd572f13479adebd6d69364beca4f29f

SHA1
de8cc1cea50b8314250aefed05eaa3ffc96b8fa9

SHA256
062516ba2443c4ce19bd307b860e647f7a170a33c53728e11624ebb5906e185e

SHA512
f3448543802eb9d9195df5f80ffd621a29265080eae29802769576f04bb79690b23a759ec59fb6cdf91609477d56056b37ba2796bb058c2e8780a3effbca04b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f3033cb555e0cdf403316a44c4e26f96

SHA1
1639b71479a80c0999c9ed9cba1054714425843a

SHA256
f27531c8a089ae22804ab2769a9eeb80378308e9648fcdbfb778c252184e2768

SHA512
889eaec7743b2fa9b07c420d3c4b24cf9cc8ea934f5eea97ac13fae9d96d86278d58ffe3c2e8462f6d764f535edc20812af52e5fd5785c05617e48702ba0a149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b445e2d3785f0ac3c8cd78836220b88e

SHA1
e94253f9f9d5ad128d02ce77310ab636f81db142

SHA256
85216248f7541ed075ded302eb3dd57f26077fcb9bf4f0226b8800b4bf96dec2

SHA512
11af26a7caa01da8e69e01bf1320a6d4dae7b6c4d6184aaa135694b39c218fd2a082e3cd274a8fb33ee226fa5552c2d0d9ffbe65d67f40491c98a243787f338f

Download Submit