a27afbea3ab59a6766862c29f9d75e632d660124ece1dd0e8eec17dbb678904a

Analysis

max time kernel
1050s
max time network
431s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

20KB
MD5

93ae068711fddac033745c00434407b3
SHA1

3f87ea1f2e1ce4b5cae8c6a0b89e81c56bfd6e3f
SHA256

a27afbea3ab59a6766862c29f9d75e632d660124ece1dd0e8eec17dbb678904a
SHA512

1dbc2f664d29c99041d1e3ce899b1c57f11bf048c5fd8b4858d9984b38c3b613ea620cff0c500dc44412bb156b2f89f16a450b3cb036bed605b5c178042922c7
SSDEEP

384:943wNwf8Sspa1ocy4T4lbGa+7vhpNZGvcdJPro2REu4Y0wM1OTfF1xCejiw:KwO0E1ocy48EaMJpNEvIJPrEu4Y0wM14

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\30a9ae0d-9e4f-4815-b38e-426e486fef87.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241027181206.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 967059.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 967059.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
872	msedge.exe
872	msedge.exe
4476	msedge.exe
4476	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe
840	msedge.exe
840	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1556
3996
4440
1136
4816
1172
2816
2272
1736
1864
4980
1764
3952
2672
464
4664
2996
3708
2884
4228
5000
4888
1192
4156
4648
3576
3188
1672
4340
1496
3612
1276
2460
3000
2828
4520
3012
3520
1188
3416
2628
844
2956
1440
1268
3648
3144
1852
2060
4700
2668
1780
4924
3936
4588
3580
1940
3756
3628
2268
2120
3468
4524
5116

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2484 LogonUI.exe

pid	process
2484	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4476 wrote to memory of 4144	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4144	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 4908	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 872	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 872	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe
PID 4476 wrote to memory of 1628	4476	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x100,0x7ffe9c6246f8,0x7ffe9c624708,0x7ffe9c624718
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
2⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7fade5460,0x7ff7fade5470,0x7ff7fade5480
3⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
2⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:8
2⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5579193494964793843,17325529193743186308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6332 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dda6e078b56bc17505e368f3e845302

SHA1
45fbd981fbbd4f961bf72f0ac76308fc18306cba

SHA256
591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15

SHA512
9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6126b3cef466f7479c4f176528a9348

SHA1
87855913d0bfe2c4559dd3acb243d05c6d7e4908

SHA256
588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4

SHA512
ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1b2d8a4fa0062f261ff09bc779492e6a

SHA1
d74bdaa918e84849c42879b69243913d8ed2ff70

SHA256
64bdf82aad206a5af107d05b10343c1e9bb482556d0f69390c202a0fefdf2ec3

SHA512
21e308a693b124c690bccb722dc63d182326e0aee2ff4ff9ef107cb1276de076c73bcc703f117cf5bd5a8a9a16db1d5deee7f0a8865ba66d7324528ddc0ae70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
68bc21903488751bc2e25f2d5ac8fd2b

SHA1
75443d6dc803cd85067ad091874c7f347143f677

SHA256
d8c343b2355ff3049325f14a495084030a0de4db03081fb29c7c8b06ff26364c

SHA512
7519c8a9a25636f0b2893823a4fe4faabefb7f96ad3eaa4ccfc16f08f56ccb2d0890573a947189eb448d4cdc0f28a63adfa02ac4760211e5ba7c74aec351efac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6a9db775a06fe6689ef9877a316bfd4f

SHA1
5e48d7582a2185f11eab7d41f6eec0aa0b90f146

SHA256
367c998ed4a321ac85e1538ea8f5a7f7dd66cb8923ad296d4d7e05fd8990fd55

SHA512
bc34a4a8c8ac98f8e14db47551e8d7d9c7ebe35b13be136e0663ad82107ea3b78726b8a0feaac0c973f95c1d17a36e54d1e959a2f1ca72a7c2177a6f5ee552ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1022B

MD5
372d34b0f34b6210ff873ca0b53c22ac

SHA1
b3777e5240e3f9effa7c1c8c589a52c8bba99813

SHA256
628cd6d6e59fe3a8ce41fea8f272e019ff601131cae527591ac8b40607f48771

SHA512
d69c818b5f968c0233e24694f289cbdd5637529d84f3f194215cee08dc272754fdd61f5dc535b1bff489485db901b262578dcaa3e273f2acbf4183c0237224eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5971cb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1343f6e5a33ac76ad84811d2ce629742

SHA1
9a3bbe7e682d0842b8f6bd34f8f0a415da43d8bf

SHA256
c6a3845551c358fe30906e3a3c5198a342003f465b5b0de58c2e00354abdb5d4

SHA512
7221630bc5325ae5397380798239dfe9c6b8457ed2ebfd78360a4b5d4bda6d0ecbbed08e5d8e402e69ba49668e6594ae041c8b1a24990d2f947f53d53a90f80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0692fed00fb1def5f5548cbcf597abf9

SHA1
67ad6f6be7197f13d5e89d8ea458072ccb58180d

SHA256
a1f2021282267aa6d9b90ab566e56eda43b26961fc78e35d726b9c6f569dc9e2

SHA512
af1ac7b7d5220daaed382b718bd783472ea87ab06d7b38bc7c7b3f7cec22c94b2899da832f8ecbfc9393f82f026368e1441ac3bc4dc906ab50f946cd0e097455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cf56ac07d61f9918dd62f637ed6acda

SHA1
e35254ccb97a9eced5e22bfeafd0422edcb97aaa

SHA256
e4fbddda590db6042faa3169dcf357a7cd48415c318c7aff070c6bf7d5633572

SHA512
bf5a8e40c404408f1fcfab533489f28046a535c896bf8ee8305237cf7e0e1acf711a8f2ab358784fb8d2b6d184ae3a94b6b162f93187e6d8140b6de8958f1aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41db30c9299e01614d3a5eb34bbec80f

SHA1
4781e6c6b82b379cf3ddd510558822885f4cb9ec

SHA256
88cd0005c6ab21e90a6ec297dbc0a5146de0e77c4edb92ef2c7837615e2af45f

SHA512
7925910876347bec9fe5ce1c0748fdf671d66484aae7100ea5f04f02727e61148230734db6c569c71fd989f8d5d241347671ff7a26006c3d492077b295fe05e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8de5a81ff85cc466d172f957865dcb60

SHA1
ee84cc3c8c1d5d72183fc0c0efbde571bd87953a

SHA256
619779a5af41527ea2d0a68e90150d27f248bfceda2d3ffede55695319463519

SHA512
8950d811f629ad151c620c0761b9c628685aa1018568fb45fb5d92b2faaa955db0c77052cadafc48482a0dd2fa8e687da1bc946bbafe9c6b1391ba4c1a115449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3621437a870b3c1896c8266e745ff971

SHA1
dfbc6cc8706f8de4a37a7ce8015c79be3caa326f

SHA256
e4ef5ebbdbc9bd7185ee0fed8757ffb888dcb839e0cf64dbc188dc17d1df7842

SHA512
30fd5d851e8352713b416a3475201409a21cabaf1daafd492f1649d1155c1f66089cb615962be722f2cc31e2e75cf732eac9e06275c2022692393dbd8603e98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e038ec08a7f38f2ec8ea249afc8c6446

SHA1
5304239122cbaf792a45fcb728c562494918f2b6

SHA256
0c1052a2e20a78b12c527c58effe2cb6409a494eaf638faba01f6f9b641cefcb

SHA512
18232da9e9c872dd5adb6551e9176f9f2feec7ecea7e0b6b96652575f95995813e9a1b6d71240d98d0fa712578da9fc4b77c367386e82001cea4c1b13553e712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
90cc75707c7f427e9bbc8e0553500b46

SHA1
9034bdd7e7259406811ec8b5b7ce77317b6a2b7e

SHA256
f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb

SHA512
7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0d8c8c98295f59eade1d8c5b0527a5c2

SHA1
038269c6a2c432c6ecb5b236d08804502e29cde0

SHA256
9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721

SHA512
885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdcbac5c720c9d07a1ea8eab28ca4f5f

SHA1
b0f614161c9e4fdf421cc9064a8c95a12744e24a

SHA256
5cf12f469fd82654b1934fb33057257f119cabed0bca476dd8886fd07885e061

SHA512
1ba5ac27cffd33f9f0a6d367006d7baf1106942b307e48872d6bb23fbcb5fc69dac76869f045faa3c62b49cb03110636b0ade9598d540d4b5cd480b09dd493e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8391ec1ae63aecce120637712acd279f

SHA1
a09c58c65766139a664712847d4b8749ae9314df

SHA256
a2c16aba1a46af32908335cd63d4847019f84e9292d9c5bb805d2967118bf2f2

SHA512
7f63f768c1b1d2b389352eb8a3375860ffe6e8539ccf5926864ddfaa3d603cc34d3190f03a21aeec1ca3e5f0f9ccd352151eec9338e53b05f9f39c2e9851d6a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59098b.TMP

Filesize
1KB

MD5
f7eab3a26c6007f8e8efa39a06a3e788

SHA1
c8bf7907cfcacd0b1bfc083572d3f252f2255bd2

SHA256
0c897d3deb44fbbd37e665bf7072ea724ffa3b7b4c184620fbd1ca78204da323

SHA512
c3da253998038d7d10988e763d2d7e957512c6860285e389706012a60494d09b8e9bfb66039f282e250bf8204c5e151b4f8e88ec1aa5c3cecac7cb6b1bc2e581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f77bd14e79a2efe2f3f7373b899b6d3e

SHA1
d342f1884c460e8dc419b77fe5183c5369e7048b

SHA256
dba4e9745fc106259ebe07db4d1ada1e78d91c2ee316ff45324785941738da6a

SHA512
a7708464df1fb5782f6e4705ef0b8b019bbbe40bbbc83d0c2819dac110ad4b487c425418eb47a0930e6a48e20fe0a7d5738ad4e97ed54b5e660a19d76fc492fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
58581725e3d427b9e4a7cc7844c8c7bd

SHA1
3b363a44b469d52d9fef01c2e6d81783ef1f070b

SHA256
bdad4527c143c3114e2d7d32190596e06895528fd273daa7cdf592970d6a01c7

SHA512
1af4ba7038981777b44d37cca7e400b3c7552323ba5d14816f7dddf93aaeb73be0a4e3fc824830854d366a17159f6c3d93a2b4210d17dc69ff245459a5ceaba9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9d90a9acf2a220965a0edd9cdf5f7798

SHA1
765b68ed05552040d4e669a0f0e6d432d75a667e

SHA256
bad68495297bb6e8780c29b44163c957b380765779b9a33f94ee9ab868be2715

SHA512
e20c812e392fc53499d8823126c2952ab09c147cf575c5fba0c01a1e790e07c86b582c4d689e5c5161d63a7e9996da2ce243a013d70217b87acd1be100104e9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
98ba80262551bbb9ef9201938e072bb2

SHA1
df6d91c57fced4dc512ece8ee4fb4c6be95b6709

SHA256
ba58a9d1e2b6c59a8f06648cffcfd7f9971c21f84b3ec0310008c62aa1e4ebf9

SHA512
c4be442a536aeee490d3dc30048a37fe8229ba4918897d95a6639d64abc53b9ffaac2115c70a9bca4403a7cab2d1aebe4d89c8b973fcac53ad6eb171219d1cee

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 967059.crdownload

Filesize
24.1MB

MD5
18f27581ee61474a5661fb3625022df0

SHA1
265d21bff7bb85d42a7eb2779a75c6e1468a9a79

SHA256
f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45

SHA512
99dc67916fb4dc1c1ab93a98455f1db3cb3d23fb5b42f7cbf7f8f6c098ace89abd75cffb0059548409068bb7ea738584b817c9c694e724f7d7afabe487f3cc5c

Download Submit
\??\pipe\LOCAL\crashpad_4476_RWKMJOSYKNUYVTOH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit