e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
07/07/2024, 04:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
Size

894KB
MD5

17e5c5de2cae3dcd0bc03f578a8925ed
SHA1

14f46fbb94401949a652bd7139166b6f8f567c4c
SHA256

e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531
SHA512

6462deae5b5662473a519265d77fbc8062e8ae33579743633a6843f7827367c4f0b80148e8f3013ada5430bb0d4a349ce997f1099a75aeb3336df13c2dcb7592
SSDEEP

12288:0qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga4T3:0qDEvCTbMWu7rQYlBQcBiT6rprG8aA3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
460	msedge.exe
460	msedge.exe
4512	msedge.exe
4512	msedge.exe
3616	msedge.exe
3616	msedge.exe
3596	identity_helper.exe
3596	identity_helper.exe
4640	msedge.exe
4640	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4512	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	77
PID 5076 wrote to memory of 4512	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	77
PID 4512 wrote to memory of 4012	4512	msedge.exe	80
PID 4512 wrote to memory of 4012	4512	msedge.exe	80
PID 5076 wrote to memory of 3952	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	81
PID 5076 wrote to memory of 3952	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	81
PID 3952 wrote to memory of 752	3952	msedge.exe	82
PID 3952 wrote to memory of 752	3952	msedge.exe	82
PID 5076 wrote to memory of 1408	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	83
PID 5076 wrote to memory of 1408	5076	e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe	83
PID 1408 wrote to memory of 4528	1408	msedge.exe	84
PID 1408 wrote to memory of 4528	1408	msedge.exe	84
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 1532	3952	msedge.exe	85
PID 3952 wrote to memory of 3404	3952	msedge.exe	86
PID 3952 wrote to memory of 3404	3952	msedge.exe	86
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87
PID 4512 wrote to memory of 2320	4512	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe
"C:\Users\Admin\AppData\Local\Temp\e99034290276f146fa3c368cf445890da48ee70e77657ad5ee7490d9e814e531.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc27b03cb8,0x7ffc27b03cc8,0x7ffc27b03cd8
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
    3⤵
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:2676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9037724197958570358,5837403225860595672,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4496 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc27b03cb8,0x7ffc27b03cc8,0x7ffc27b03cd8
    3⤵
    PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12921368907749750571,1220928034310082928,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12921368907749750571,1220928034310082928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc27b03cb8,0x7ffc27b03cc8,0x7ffc27b03cd8
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,15601949184543925543,12905037315514597757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,15601949184543925543,12905037315514597757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11b22949a84a750056bef0aa6ea4fc45

SHA1
c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8

SHA256
59db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f

SHA512
01bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b1f20c797906f82fd003270485ceaef

SHA1
51ee0859382d77aba329e0ec2dad81b383c534ed

SHA256
7980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91

SHA512
7b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
93bb0b36c6899f4903fdbecceacf8fa4

SHA1
14d42725930f5e946ecb352826adb96920a34c2d

SHA256
fa4bc3d1f77a0327bfd6dd144e7d060ac2632c4069111dbbb46fba9b8b714af9

SHA512
6b657065035e48c8bccb4aa2f1d2e1aba54714d506d040b75850aec67c722ed881ba6604d5daa274897f99f9c10397c03273d6a4fbd4cca732930733993e1f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
48b852eae63f5a309c919db543f1b505

SHA1
227740cd2e2f5b2917e43a91b56fa49df4be6eac

SHA256
7e709c42937f5af217244cb851cdbcf3391971822588a2972fcca417758e4b2d

SHA512
0989d1f67d8f5e3f85af2c532a5fca2ef86eaec65bc760850c7720011cba9e331a5f01381433ea13a4cb169ce0d049616230975fde8778666dd3739d74cdbb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0977daeeae00487a5c0c709d0e88b46b

SHA1
179d4a93830e4824e16cb613935884066a91027f

SHA256
b618e359e802d2a9bb2c8ec926c2c3ea86439b67b4d1e9610d44205a8f378790

SHA512
d9c7e10e193a0ac448c62a82f4bd4c0209f36a9aeabc79d8c1ee3dea9acb548e575cd47762a7f22a491184b95c80e0a5172cbd31818694315aa8e0c1ec34af3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51e85d36f6673ab00d8dbaa1dc9a6f61

SHA1
2cc119ce139dde9f35f2d93b9e2854d4512f311b

SHA256
559912e226c4736516eb37571eb9629097c4b74493b2385693df7daf4898d935

SHA512
131ce6ffa0ee512b2cb490813f389430d2e9da52420d873e28390b6e18525098b4baebf347314d51a7a6a3afb85496b0ccf5c7321018af64105f3180acbcf2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76477bfa7c9be52db951f9e326077542

SHA1
38246c78b49e4febd8941e79caccdbabb6ceced9

SHA256
56fb2bddca7d9fb84c6e561816d0e68a66ae0be870724ee8384a115988886c42

SHA512
0b1f028c6bfeabfb81528ccaca1fcf9a1a30cb746f5497b2605c6fa03e58f14cdc16909dce0a6f8c0fc82ea9f3ea9dd3acdf94386a61ee62502759dd49fac2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
6bc815e2c754232d1625880e637f626d

SHA1
667724749142c6875c61f64d807f87de9bb2829b

SHA256
d91601fed3356d4c688eb23702b6967775d982ef87401daab712f8de6f88bbd2

SHA512
202ca8f3a41adf2babb91bef63cd2b9963040b6dd1777739e8a086df50707150f61746e5d2cd8c3ed8a9bbfafec4441e67e7d6cf930da9a2b0ed7a98ac1c2ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
2c6f7894959239c83704ac891c98b240

SHA1
4c45a641d4af07c30263865a646ed840bb197cd6

SHA256
c8c00c780737fef89477719497abac969fa51f206753d1d3042300c3672ff0c5

SHA512
d43e1b3a4d5060d2831db5498cc866591c0ede026a70a12881e7d476aefb0c20911b024e727ba887cce7319f38c73eb0683bd55c143e61f39cd81d659e4c8e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
dbc1c6a15627783e882d9649c381f392

SHA1
6f7f4154f9965ff1d4bd2393d4b2cd28048fcdf5

SHA256
a6be3b20d843f10515e533233b7408eb45bb5f212a874c9ac9bc03f8fb8da8cb

SHA512
5fcdfc26431dd7578d8a7ca61d8faf055cd3cfdd26328741b3bf3a98f96064a4f5e8cd1976e1c7e5c9901cbb672203f1be576291b9a15a455993b57b2873f63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
064e271f0df31343200e153da4c2b9e2

SHA1
f10a2524a8a8ec78297c5ffb852159bc514b7ec3

SHA256
bf2284936a5fa2fb8652558545f72990e6b021a0266739fd6162bef257f2235e

SHA512
d2f18e6b8741cef1a107c57ad3a99d879a39b16013340f48853d508a070ab445b285adb63868ec5072c41e5533ce1249560d186145575c6417afec970515e7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b36.TMP

Filesize
707B

MD5
55e912dd94033c575752acbc363f917e

SHA1
a377dabc72bdcf72694d14ae5bb62ea6211eb5cb

SHA256
d7cc9fda597d724584c0f5a47cde7026fe3e909eebbd147392efff3c8a5156e9

SHA512
ee09adbe77e5c83db7484cc1ac016deedf8d3a1e9bb6dad594635883af976bdcd32b7c95a4902902c7fa3f221fd54f8ecd20fbdc24fcf3727791a5b06cea96dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a836a6511f11e8295042878ef31486ce

SHA1
a0f955c8abc6d4b61d6ad3f6dcff02846c427168

SHA256
eace49a34454c4c84fabb4f703031fec9c0c7a971b30e4fe1a736f2d13b7d49c

SHA512
ef9f41a23263461afa710a0fb1a680da3ef035c96492c8fb9de71431bf68752d32a28cbfd42de15eb6594518cacf511e65ae5e5ea8517ad27fb4bf11bf1d8286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3293ff92747c876f2d894c63c785ef15

SHA1
a2a0c541198a3ab03e0a93ad098535ea60404038

SHA256
48cb64e554c45aa6df863dadac6dcdce5ab8ea2ff459be8dfbc2642ab3840ef0

SHA512
28401ebbe4a0a6c51fc4d3d03b543df97dfba46973f4ec8c46a998311ad0a5db8c1e3dd135849f258d4e8580b5e94cf4a755451a3deada27a145d544c7bcc341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f71f3faeaffd0faff70856e74e26b738

SHA1
59518282c3b8b717a147eecd383616a45280db3d

SHA256
74e5da6da69f35494f84abf6181b734af4194836fcaa2dc63e3824ec8d938443

SHA512
997592ca9882ac903a176461290d1665315d85915fa8b02196a72f881edc922bbbc31756bc85280b057312809165608106d805cee7ad4e80bd5f88a263df2942

Download Submit