638e00df9d24c502ea69558ce590ca10ee711657dfcaba4d13a991a49517a91c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jules.exe
Size

423KB
MD5

b5fbf5a1294ad6940c3e5f241fe6bf30
SHA1

89fe4331123efe0f1cdbcf083a0bcbb4a1daf455
SHA256

638e00df9d24c502ea69558ce590ca10ee711657dfcaba4d13a991a49517a91c
SHA512

f614ebb6128d1a2c38ce5c5ee04658d83dc91b51eb8e10bf3382cc176a466a4754955d5298d6679f4bc1ed4ab3261fb157f7678b70f8181af1e0cedf7a4e8073
SSDEEP

6144:tQ2J8rfffMUseuKzb9NGw46fzfJ7cfMPvzHc3fS/FEidMfcfWOzffxrXOvk3RFfo:tQbp2jGPvo6UYG

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3076	5096	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jules.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1436	msedge.exe
1436	msedge.exe
1468	msedge.exe
1468	msedge.exe
3404	identity_helper.exe
3404	identity_helper.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe
5172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4832	1468	msedge.exe	95
PID 1468 wrote to memory of 4832	1468	msedge.exe	95
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 2292	1468	msedge.exe	96
PID 1468 wrote to memory of 1436	1468	msedge.exe	97
PID 1468 wrote to memory of 1436	1468	msedge.exe	97
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98
PID 1468 wrote to memory of 4044	1468	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\Jules.exe
"C:\Users\Admin\AppData\Local\Temp\Jules.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1048
  2⤵
  - Program crash
  PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5096 -ip 5096
1⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbed0546f8,0x7ffbed054708,0x7ffbed054718
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11705212008406639763,13298601732327221919,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
787cd0ae61b4ae28ecac14fd2fca25fa

SHA1
25736c9cdf5b02548c9b0f0e64bbc48ed4b68f98

SHA256
0b63be4c0a9c817f3e672d9cdcf5b866d3526de4ace7805c42ff1543f3565935

SHA512
799ff5f5e700d13f9ffbea8f7990260f64adf98fb2d150655f34142e5f79500ceaec4d2d0fe5317b2f8f464039e9715a8fdb125d84cd4538f27b86f4f018f075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90e672e0e9479fcec3b3e1d5b6eea6b3

SHA1
3fc5a103f3f29d257b44d738a949c39edcffc3d7

SHA256
7f41ad5e55dfa8ec18b7f0008f6dd006377cb3af80bc9b4abcd20ff0df0dd491

SHA512
af3979c823181a8ae553193d8b5cc017a1bd1c62192312192b677bae612954fd7a35069121dad217888475d18638ef5636a1b6afb7e554527f31eb3b3058c540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb8edcda54c422bffc860d2e080d2b70

SHA1
c12f01df0ef74b7f29cdffbc82c03ba43ef01fa4

SHA256
9e42cce6ec4bdb0a3fd4add91c872c56d40363b593600039ab5a7b9700eaaa82

SHA512
a8d1a67a2bf4a1b6dadc6fcd39b942d562bd4d1200c5113a745b9e0604c0ce1a62c75bc0cc36de456153084639f038fd0868bfe6dd97ed202e114ddd1c8ae62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8026ba05f4b7babe5816ce25c4c70253

SHA1
f55e46fc23bfe446ce9a56f041268b2a8e4245c7

SHA256
1bf8a087e8051e287513cf843976239b124c139afe4aad5dd8386c5a89cd4a5d

SHA512
95c7761931f956f76af02348f6a39b19d473cc96a95e55c8bb0670f076d9da4dfdf783ac62d3523671636ea33d9280ea5c1eb602e6acb1a1f5743a4739a16f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19b02e443346d8aee3a7a3d2c99aa192

SHA1
94fd3e7fb6dd2e2d89ea5294691f543dfb2b5e61

SHA256
376a60ea5d7307d2c4b22c13106082e688e737ffb163c091fba3ac4bed4f21b9

SHA512
7cca4bd0809f0d1858a97c3b0bfcd3f28f330492babef4ffac4d6bd15b1c3f4c5dbff1f06836f3982595195bd7d096c4a791075795154e40dd82ee3bcae0c2d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
83517de27743bd86a1c259e2a1a5032c

SHA1
87d265b24b431db74b3f1981da43242f480158c2

SHA256
7b305c2f1f8b1b7b9a3f296e41e386683f43011b681da8ee9587885f041ba3bc

SHA512
aaf4f45b3a6d84bf90b4c49fcfe24482a2e8ee329fa2de02fc9d09054aac1e886180e65d7b6b743659b97bebaf5b342e27595076c977eec80d19f95df6533bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
559bfbf7b119969c4e329be0cfd299f1

SHA1
1d779b95f2ed20b78764aa1a84be65c76677a67f

SHA256
03acc3bb1e7f25b3c89acfc798918b248622304c69da2f9b9bc7733a0967d291

SHA512
f847bf6fb8160d983dc2d4237735795db83d3cb9b2736d73def41551ac79883814f501684d797ba11f033d00539bf10f19f7656647c63bc49c4b0e3c7ffd9520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1f6740362892184faf63f65de9e5b33b

SHA1
5fef6ac0d261f3850e19e9bc24d2f852f1b270ce

SHA256
768523071d5559809bf78857fcbd0925f3542e38aa9056968f129befc5b73509

SHA512
71e27a81ddf434ffe8881df4266d5e51cbab617bdfbf583aebc1fc6c4e6b9ab652e39b4aefa925602240fc3fac7f1878dcf016294b1394ff787ec1aa930be824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593464.TMP

Filesize
2KB

MD5
8f8f2a979d212ed6d1d6a8cb93151fbf

SHA1
41d68de84b0ae712d49b796fdcfd9a1e1c83ce00

SHA256
8347d687f4ff2ec78b55077519f177bd884ebb68298bfa6aea8bf8535b6aaf45

SHA512
1eae9d4eb34675413fb8271c1d9e0349e9c0fa9431876c1e4a3725b46950fe41cd068ccfaca3f2e66d8dab577b12958abf48662b165a7a3d017e335f1e87618a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f69960554e155e72ba7d8b730451674

SHA1
2ba220816b130fb28712eda238812574a5307249

SHA256
2ededa3b9056ea76b8b77c738625c09081807296ef3e35033cd463c6aa4be67f

SHA512
053084423dcbeae361c7f790db6fae572b11d9c8098aa29326be589df34a2ce33c8690aae7069886676179d57bb072044415e11356f3fab3e85b28025c43dd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a45d0428adfcc34bc33c7cba50efc1d6

SHA1
2a9094ac97e9d6e655418761f821b3b4c202e895

SHA256
be4ea80a392b8aeaf1450820fe3dfe311f0d74b0f711671588d766c28be7d797

SHA512
c55b47217817e277e350f7212a7e2c2a6d84f16c1432280ecf0c49ff199551c14991f658d96badbd387d8691c05b3465b19d3e014ff69a696437ff1e581a8c25

Download Submit
memory/5096-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/5096-6-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-5-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/5096-4-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/5096-2-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/5096-1-0x00000000003B0000-0x0000000000420000-memory.dmp

Filesize
448KB

Download