3dadcf5a61d297a2c61a690f7893297d2197bd6ab9ab87e7583bcbec66a8cc55

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

896KB
MD5

f3e9e7e299b3f0cc7af5b93451f8a6b8
SHA1

737f2da571a2905d1843b2377aff25307b90c404
SHA256

3dadcf5a61d297a2c61a690f7893297d2197bd6ab9ab87e7583bcbec66a8cc55
SHA512

0de88e5720b9541b967cc81b03fd14a3cd1eebf6cdca2449cb00d32c0e1fef9b37c465c073339b6dd4af3634fd6570e3ad4a517f45910e9f7952e85603547d82
SSDEEP

12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTO:UqDEvCTbMWu7rQYlBQcBiT6rprG8asO

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2772	identity_helper.exe
2772	identity_helper.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4700	file.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4700	file.exe
4700	file.exe
2560	msedge.exe
2560	msedge.exe
4700	file.exe
4700	file.exe
2560	msedge.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe
4700	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2560	4700	file.exe	84
PID 4700 wrote to memory of 2560	4700	file.exe	84
PID 2560 wrote to memory of 2216	2560	msedge.exe	85
PID 2560 wrote to memory of 2216	2560	msedge.exe	85
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 5044	2560	msedge.exe	87
PID 2560 wrote to memory of 4452	2560	msedge.exe	88
PID 2560 wrote to memory of 4452	2560	msedge.exe	88
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89
PID 2560 wrote to memory of 2816	2560	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7fdc46f8,0x7ffe7fdc4708,0x7ffe7fdc4718
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
    3⤵
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
    3⤵
    PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:2488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
    3⤵
    PID:2080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
    3⤵
    PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
    3⤵
    PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
    3⤵
    PID:5932
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
    3⤵
    PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15602756893806278829,13085774821775422203,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3032 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\5a6c8c6a-f297-471d-9cda-6d6633fbe7f9.tmp

Filesize
9KB

MD5
6d49ac12a26a3b9ee0557fd12b8e6c9a

SHA1
2bf177e5e952737ef37a2d68e0044bf140c93451

SHA256
dbf2ea15fa43a0ee43666858fe7ea437b3ed7208cb77d4f83717df7d210bcef2

SHA512
65a127291e58eed98e3116ea198effbed3364bf242c8592405f44032d20d75979d0c634c5b96b9e495119c7d8ab37effe5788058dc83110c7e8ea3a975469fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
3104c38c4a70052558ce25bde5866f47

SHA1
3ac720f2a4fd50b2f0ebb0a1adc398c868282248

SHA256
b65828f98c6748bbae98738e3dc35c535ab4e006c015b4a1859ca9b398038e23

SHA512
dfdb911b075b90e95139313a6e0a1baa12ef701c9ff8db29a92d8b531607fc560a2d82f5b44460bc01423a102e11c0d331ca8df7d1ad740fda760cfc839acd64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
9b12dcbd214a1d2de18e8ac0d95a7fdc

SHA1
e77c78d84ccf8609bf833499a698cce97a3fea27

SHA256
58be7085a2d2716d1dc6882087cf3060a91060b2faccd08d9a73acd4e0acdf6b

SHA512
1add9dd922e05ec01eee2e124c811de4ffb9dbe5ebf55b71a8a3b189e1dabc3aa5f80159c5dab206f4e64674a38ba7525e09dc54752b646111d9411136c063c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Filesize
152B

MD5
3f301708cf9cfccd7def8f95f8664d7d

SHA1
335fc36d56e205d72a52d470cd7b986abc8bf18f

SHA256
e3b79bb9d450a092daff1ee1b54db28de0faffadcd29af7308f0a908b6a35bcb

SHA512
4e9d583e87fae3edd1a2126d00feca7651fda9155be4171a4582f92ab41e157a3936c59871a13d20081af39620fecbf195694feaa0bb5fda2d7a7f14a67f751f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\461e564e-939a-4293-bf5e-8ed38de3e4c3.tmp

Filesize
4KB

MD5
3edf8da3a3c6ff9c5d9e3dcdb4e9c591

SHA1
12e497c7269d639fd1251797dd1b5fb032eff785

SHA256
18fd16a0bab46f617fcad43665df6f8910c745c9ba8d6f38bb9afc78aa6b30a5

SHA512
1562328db8798788de4a1fa2d775038bb4f44ab59eec06b485d67b1e2d8a62d41bdbddcfee7c529e64f2fff16f79215a8bb97ee787ae7a3530cf0aefa9fec9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
1803994ba8fceb227a6e34f6dd866cb3

SHA1
9dc0f0aaa1224166ebeb0413b8018d736b3616a1

SHA256
730a92ee4a220dce1940d4c950a76bc0b2ecaf4d62e92074df20f2dfc5268224

SHA512
90fb8197af377bfca56864e725f0cbfdd1bfa7320df4dc3e3b66b3ae987481724fa794b31831e1fc3fd3d127d7e1d6e564dc22fb9f157b7099ce8c6d100dee86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
4KB

MD5
3ca68baabe88b716d27a9c37832d8854

SHA1
139a2dd5ae1645366c807876b194bebe32a27a65

SHA256
83aeeb7b58064d66b7b27bd8a16a0184244fe2968ef95371400a464fa5a30e18

SHA512
76b2da268a81dee55cfa60c87d181866851820da3bf8d0ce6cd00066405a1cb1e61def29e8b1080b23ccd7d1e4a95658a3c3d856eaea43bc6bd6589bfb715708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

Filesize
4KB

MD5
dcb818b0983eca91132de46468e86135

SHA1
99e0dc3b4d85b204abe86fec1b6481c582d71af5

SHA256
353e9c141b95289a52880d0810e3569608ca1f02fc02a4a3cce149f6bf5d3062

SHA512
7069b7e6ce9134af7cb0c180687413da1ce944d0cab9a37589efe332a7842a543bbabb023824b8383d16ead7d585b9aeb4c8026444c380a5f7e1fe3eda64777b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

Filesize
24KB

MD5
0ab13653428ecfc2a1d635fcc21dfd62

SHA1
dd574bd0cb1998e2752667a0dd2e03b3b0b11b0c

SHA256
0e8721d068e1f410993c1cd5d4f869cf4cd55003cb1121cfb05f6463c6d4e302

SHA512
db632b77d6e0e1017fbdd34a2df3112af910b370f2a2b79121434d6517974a8f4a114caf0e097392e5c3e15c2d0c6998f013840e41a89056d2a9377601c293b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe579337.TMP

Filesize
24KB

MD5
6ffed72161b15be92980af673bc62a92

SHA1
70d3895d25a73dd8186da0cda8f54c84ed10cc18

SHA256
a143fbb23f7235e895aff633c056d37bd158dd8dc6511a0b03d12eb1523997ce

SHA512
db71b80a9c8559778784e46f4b2ee14a7edd34991aa10e6ad0edd625baee74272a74a15064016bdb307eb6fb8267736a3389ad240836d58d771a6f4e0b329684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q4F80P1T4U2S5N6IL2MO.temp

Filesize
3KB

MD5
33b222fde8f4115c59a7578085bfcb53

SHA1
5f57c1ab9c8afb67ce8a101675583b081cd10290

SHA256
aaad764f992528b65c300e9fe5bccad871520488dd2bd86705ec5884bbc51a9f

SHA512
e880c9fab19d9854d7bec7a861158b7b382e9a69aa074145efae0b01be382bd77965c3eea36f9ea9fd9a4cb82a54b185365ee00674cd4daf79ecd9e5162c26fe

Download Submit