hxxps://cdn[.]discordapp[.]com/attachments/1256344855244836884/1269304895664689232/persona_1[.]zip?ex=66dd0f8d&is=66dbbe0d&hm=cb7a8746139d069d03ffcc9dd3861d4effd6852788b9e791126ea3d50698e7fc&

Resubmissions

07/09/2024, 07:16

240907-h3slbs1fnm 3

07/09/2024, 07:15

240907-h3edps1flr 3

07/09/2024, 07:12

240907-h1m8ts1glf 4

07/09/2024, 07:03

240907-hvjnfs1eka 3

Analysis

max time kernel
98s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1256344855244836884/1269304895664689232/persona_1.zip?ex=66dd0f8d&is=66dbbe0d&hm=cb7a8746139d069d03ffcc9dd3861d4effd6852788b9e791126ea3d50698e7fc&

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
2860	msedge.exe
2860	msedge.exe
1316	identity_helper.exe
1316	identity_helper.exe
3868	msedge.exe
3868	msedge.exe
1696	msedge.exe
1696	msedge.exe
5524	msedge.exe
5524	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4668	2860	msedge.exe	83
PID 2860 wrote to memory of 4668	2860	msedge.exe	83
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 4520	2860	msedge.exe	84
PID 2860 wrote to memory of 3136	2860	msedge.exe	85
PID 2860 wrote to memory of 3136	2860	msedge.exe	85
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86
PID 2860 wrote to memory of 632	2860	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1256344855244836884/1269304895664689232/persona_1.zip?ex=66dd0f8d&is=66dbbe0d&hm=cb7a8746139d069d03ffcc9dd3861d4effd6852788b9e791126ea3d50698e7fc&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3b0a46f8,0x7fff3b0a4708,0x7fff3b0a4718
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12480825743525906062,17749641070411835987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7fefaaa1h7222h4ff3hab7bh521332f24ba1
1⤵
PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff3b0a46f8,0x7fff3b0a4708,0x7fff3b0a4718
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,13197484151781732049,10259213802122365000,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,13197484151781732049,10259213802122365000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault41b533a1hc7e8h4aebhb0b3h8479cf4352c8
1⤵
PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff3b0a46f8,0x7fff3b0a4708,0x7fff3b0a4718
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,16460192508681859301,1013328350757216744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,16460192508681859301,1013328350757216744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,16460192508681859301,1013328350757216744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\31a55a1d-0377-4a6e-9db4-597e87de9858.tmp

Filesize
11KB

MD5
d372bab058caa90652b5d6f48e21aba4

SHA1
657a0f8ccd11db675fa79b78a8887c81e15c5153

SHA256
723a63a7c3011814d2583f300606cde2221042c9881d4ae14118510df3fedef9

SHA512
d470207eb955cc6fe914ec5296c9f26a1a6b6586bf17138850b6d84d589cef0ddd5f5151658036916750472f09f1f10da880fb7fdcadecfed62586af6cee20ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
242628022188130b8c931a47af1ee83e

SHA1
de292392899dbeb20f552b1fd8491c7f23b3331d

SHA256
efcccc684a2ed86fc6622650aa5b5790ebcaf9f8c5f895c45b74d053173af776

SHA512
f0afb8e1be750192d619b847e9ed4c2d906207a7db0ed9a4804a1af1a1c03e3c5869580766371a56b017ed4e081f66fbf4461f84f4044a7f336d6d94fd87e5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
992eafd4433078c2bf05e5a8607d426c

SHA1
07e4a04f6e34213414263dc83533f106530bf462

SHA256
763681b6b597828c28834a37592aaee77f986d4489455784c409b508e22cbee6

SHA512
ae2b7aec517a67feb5ca9ce0e4462a8ff5232a8205625a1f5568279a54ca8a8c237e9443e2936a25883c394e53788dbda36f5bc74517b068a07cb62615a6dfed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4b93d6ececf0cae7f70893f37352991

SHA1
d1616537cb8efec3195ac21264e2197988d22008

SHA256
18a9bbf133595b3f5cc2f905833bfd21ae740b1bf13ac6b885471ee723d03121

SHA512
7590e6cf78906f417a0493fded90c2239db30f8955d77bd49cd8009c62d8dd3c917af403ff3cae3f06453e363518d6ddecd239e946548666162f4cd15215148a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38ffbee19e6e839583bef886a6722836

SHA1
bef5ea98bfb8d48c9d797219df895148971d6f6f

SHA256
e92ef2622603daec30ca73c0c27c38c6644e4413636521e53fd63b85d1ed9502

SHA512
6c1c95825afb0bc79c9907b39cb1fe40290f8cfbadfcac33b07b6fef6558b9ef955ec1190806919e44b9d38922bba70d6dcc1ddea469dec2375ee6c861cf3ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e3ad2279a0790a22b47875f30da9f50

SHA1
58b9737824cd110609b861413dc2e8dc0a15c3ce

SHA256
6ab7a4148154305cd454fb6c5d12b5c1531ff78ceb4e731a4c0196c91e6f8fa4

SHA512
c2caca329d8a02369c66770b41ef00009442a4c825cc260351541fb4ce0bc140dff774ca4aabb7ae35b18719d8421258b1e79c377bcd03ccc169968a52837c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d78d36c90286dd020a34597de6567692

SHA1
92c1b0c152d0a6b3b28ec7d01113fcf77c49f237

SHA256
e2355afe7f30b5e7b3a021b061f15e3f2278d2007d796ffd406a8c5daa2d7e4c

SHA512
4b739a50e20d1dd4dea49676c6f2371b735675bf612e75066ce8d7b92c50d9612fa729a458f54dd3295c3c3725d6d0ea8e19abfed8430036e4ede1c1e9c395cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
b5853291fe8520b81f3f4c54fc373868

SHA1
30e580bbfbbca17cc5345113d9c488ce16352506

SHA256
f672c24b25825d5e043e39df8a64b476d67d845ff8c1874ede3b0e71adc582c4

SHA512
aebe82d941d45085858a1afe97611761522c0da253ab30e607f54be1f623046026d3d634d476f93b23b3f57adee6856135ca4810a330bc4586411c74aa5ed32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
86910ed00980cd9a58f398ca153ce666

SHA1
918e770ab698e8d4f452a3f726303ce595689413

SHA256
496b981e4f0b6b59b21fa1abdefd40b0b94ff8f1d82504fe217ad1507ef93395

SHA512
c816c43d66052f9ce8111f20c63126b14ed173b7d7ef5ca7320788be648076f5d452a03a81aa77fb35802dbfc3faffda24ee4e362189c61fca8a7ac14affdd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
e3ec357dd086b9fb6c1208514ac2086f

SHA1
828c9157dce3c0783ba61cc4db4282c5e0c4c0fe

SHA256
d65b99783d3b3d69c27230da3591823cbaeca38db758245fbee10e13fe2506d1

SHA512
9b53d51398675a2a2fcb317d1d8674f86d677f7cfba724e6164c5d8fed6463af5023d0eb1f34a142b902f11de6d4a94c04018b010ce7a77763568444b1117834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec4476ef7d0a63b8f71759b6db5a630c

SHA1
702d93344fef8734d63c65bcd16291fc67ca9314

SHA256
8e37daf72e69f385d1f3e7a26f627cc45a22275d89672e8e6503c9dedd60e5c2

SHA512
d9d95331ca38707be9bc66929e7ad348919c69b0a377a9ea273df7e4df5f46cdbd9a807241d97c15f31dfd3c5e0ec010963382ab5b823b5091ebdb3198a0411c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dfe4fdee0d4f234b9bcb0d855c879074

SHA1
08d7fed188592b43a3cd1cc2e6839b1ce27dca87

SHA256
3d50eabf647b182c90ee0374cff3aeeab0056bf5afb90eade85a281e2cab563b

SHA512
c3d4423f8e862f631920d2569cd4634a9da39e24be9aba8677fc054c4b5a8184c6fce92739fc2004f73a57bf8fd70de52148a4b76e546355cb4a5ec6ac5e720f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ff502d05212c5f7d41c1cbf903bac18

SHA1
2453082cbac1e87c8ac89993cb33788c4b4a4535

SHA256
4a2db01c40d9b6c61a328c84dff2391deeb1127f73331f01f514f5eb2c31f799

SHA512
c4adae7a5580fba7ccce5644532ccbe84ca12c7ac834bf02f6af9ed7311ee4a6ab65407879e1fe9cdea9f92219713431cd4719c4f724d2e986038e022cc20334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
cfa668329011ea1402268e06a0ea14a6

SHA1
2c4f618fc39fd647fccf2a87024b7db2b5e0f5a2

SHA256
22c371b18822d7a37a16b8ac171c414f9c7fe421e33048ac929e1e776d05605b

SHA512
a7a33856921f45b88d343f3406a32e5d2805ceb2ce4ed369ec704e3a9bef9dd79af480d0d136f2e3b8c6bc73ef4528f14a64343caaa1b033598dadb09df8a6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a22d242e-cba1-4630-906e-15510ea863de.tmp

Filesize
10KB

MD5
e6d330d0f994ef21af2407ad29363183

SHA1
9875c75ccfb568abf561da1a2c7db21d02abfce9

SHA256
52adcd04db2b5dd4c11cfb754ba023eb4c0de0a865c0d6454f2b17c9c39c3eb0

SHA512
f03ba741134051b9b8b8314ad197aee1e834c058f27df62981ecee833343c8f4dda62497e1f171682f26d34ec09a82e5b0c6f782ec049cb9a6bb6f6958798f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dfb26985-75aa-4910-92f0-0855ebd9716b.tmp

Filesize
10KB

MD5
e14cf5ee87f92203ed4d6676641cae13

SHA1
cb7a03020e4ecffedd99206a89eed857808577db

SHA256
0546383e77cc69c903db483870ed5fd9d6f746ef5ec651d5b4960c1f09cae08c

SHA512
6926773636f4f9285685458c42813a2b36d6e44d13e7157f9c907b51fa01b4e6bf700adafb6e32e4728f307e10764b0c9b425c6dc1abbac32df88d5ec30306d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
4d2e2da4f7d309cbb8da693eff8e38a3

SHA1
6b428e2f022c8b7595783d4a923c3f96932924a7

SHA256
e62a77d7df731c7bed2b2199e3cfcd1e6000917a61ef5387ee5c62e2ab6d4c84

SHA512
bbf0c2975ecec742bde673090debfd4a99392e615140257cf7365947bbe5f54608440d5394472cc276b21ad467c3b18b94ced12f72c64025acdcaa0845b07668

Download Submit
C:\Users\Admin\Downloads\persona (1).zip

Filesize
1.6MB

MD5
eb622d1d6f5e01f449b8d62cd4582901

SHA1
93853a1b984a8e81b9aede0917043286cca387b9

SHA256
8e6396108c150914c658d7752b97da9f495d05af25d7b0c7270e3b4aefdcb639

SHA512
1ab08584b411a9df0c491973365149cece74b9bc3a85bd7b0d872449cdcd7dba941c42d2efa9778670c8f5af703b3df6eab7bbe0e2064f5bdca4eb676bea45d8

Download Submit