3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe
Size

87KB
MD5

299fb757aa971a0f7d718c8446c6bd50
SHA1

08fc3c42f04657adba707e46d80aa2d457b4d814
SHA256

3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0
SHA512

6a3d59f60405acc603b0a58108899a62007f4e1ba679eb792484f66c17f4574744aae6e15f32815ce48bb339c9c99c4967aa7767a29b669383c23d882445975b
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfexW6O:Hq6+ouCpk2mpcWJ0r+QNTBfe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
860	msedge.exe
860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4400	msedge.exe
4400	msedge.exe
4584	msedge.exe
4584	msedge.exe
5316	identity_helper.exe
5316	identity_helper.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
4400 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 408 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 408 AUDIODG.EXE

description	pid	process
Token: 33	408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	408	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.execmd.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4256 wrote to memory of 832	4256	3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe	cmd.exe
PID 4256 wrote to memory of 832	4256	3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe	cmd.exe
PID 832 wrote to memory of 4400	832	cmd.exe	msedge.exe
PID 832 wrote to memory of 4400	832	cmd.exe	msedge.exe
PID 4400 wrote to memory of 4300	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4300	4400	msedge.exe	msedge.exe
PID 832 wrote to memory of 1584	832	cmd.exe	msedge.exe
PID 832 wrote to memory of 1584	832	cmd.exe	msedge.exe
PID 1584 wrote to memory of 2444	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 2444	1584	msedge.exe	msedge.exe
PID 832 wrote to memory of 2928	832	cmd.exe	msedge.exe
PID 832 wrote to memory of 2928	832	cmd.exe	msedge.exe
PID 2928 wrote to memory of 1132	2928	msedge.exe	msedge.exe
PID 2928 wrote to memory of 1132	2928	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4696	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 860	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 860	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4688	4400	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\851E.tmp\851F.tmp\8520.bat C:\Users\Admin\AppData\Local\Temp\3e2e726a030500ff406098c85931cdcb22bff216b37d320f93892eb4c0a698c0N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc363646f8,0x7ffc36364708,0x7ffc36364718
      4⤵
      PID:4300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:4696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
      4⤵
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:2824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
      4⤵
      PID:4464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5596 /prefetch:8
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 /prefetch:8
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
      4⤵
      PID:1840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
      4⤵
      PID:3220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11499453289607953938,10556765310523912403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc363646f8,0x7ffc36364708,0x7ffc36364718
      4⤵
      PID:2444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8147167622267703289,2915412249915488383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8147167622267703289,2915412249915488383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc363646f8,0x7ffc36364708,0x7ffc36364718
      4⤵
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13471176755762365048,8641866543144991784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7dcbf2d4f29d3187e4b2a05422d8f58c

SHA1
3fab65cbfadcf04f1848b33c6dfe5d6b2e4374e1

SHA256
9839b8a8b43d0d7ae2b0f6de7e2bd9012ce2af54a064c5b0287ff1bb2fc1bc50

SHA512
9b8d797bb75fa62be7cca6d237cad207c85b23cb025451c895facd5495ae84c030def88f9394b8c1ae4412f06e40f8212e36c7bcc05b85ff7212a224098838f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c113b6947d92a70c4f74bec510361ba1

SHA1
43401afd83f5600b6a9cc51f93ce6a345062e172

SHA256
59444c2b83398cbb6232947c116b6280b03a83e09f4ae06e4afc656fd3dbcc18

SHA512
0948e1b3adab5f250738b9afd7058434420ec4e5b20cacf88f3fcb733bb04afce23a3cecce16a8b8abc257b4e3da0213937837985e04afc3a74daaec74a95e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
16c655f795356d79e6d7a2b0bbd91d99

SHA1
8ab70949a91cc862e7fb26f5514f3bcacbb2ac0c

SHA256
2b6a63385858857873d399d53a94e204ee9c32145d9fc3ed4e458d2df9d7c6c0

SHA512
4eed83a67d46edd77ef61b9d586d9249677edd68bc55268fa850b47031e2d3e9c369e26c36bab675c95a2c36b591f586d56c0fb84e5e203d16791809ab33f351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc711933f3c7739cacbcf6814ab7d0ee

SHA1
1c5ed2744cc08c0135cf0209dd7bece73e9c8a5f

SHA256
0b27c42f22c8764ce0431ee0534921d68eec47bae19162e0c10562b61d8a29b5

SHA512
294cd20ea8672b391b36256d4062c7d3dd1a94277977ff21db38ea6098920dd5b6c3750e56107819171294e2069d62734335bf55c8312372972ed6572f8f89a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7588a2ea-44d1-4074-8145-df366d348398\index-dir\the-real-index

Filesize
2KB

MD5
9e227c066f7ae1182e33240dffb3feb4

SHA1
9f893b445ef5f383a0c15276e8aa87c8528880a5

SHA256
651f59cbb1d4192c64e71e206e6f34c26c754581b1ed6512266df78b7c9d28d8

SHA512
3d762906d02c0f92a346274fe66ce2145f93081ca3f239abed5bbf312362c59a41261530ea99235bb38efc4b2b41131fdbcd56a9374935bc58cecda363de7659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7588a2ea-44d1-4074-8145-df366d348398\index-dir\the-real-index~RFe57ee57.TMP

Filesize
48B

MD5
d7d23092931e729042c2864010ce4794

SHA1
9bd156a33cd045eb3638bb891421d272ec9530bc

SHA256
cbdfd02bb43b55d7f2fc37c246a6a7999e4e4bdd0365f5b88940b34119e3a903

SHA512
1f6f900b855050151a86547924ee1cc623948494e4995e228d5ef0e7fb91b7733798ba2c4bf777ede6af5a26d1c309a929d38c8ea65a7817ce77555f0cb71197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
e0a5b6380b616434833411f86645d1f2

SHA1
eddad9b8307233979356d59cd7f292e981303cca

SHA256
16bbb71eeab3b99579b8bef72a78e9e8324d90cb123419ba99ae09dec31963ae

SHA512
f070ec7a4505483299354574595e7aa10d31fdd7adc91c77cc3d249b29ae825c229295cf3a16bcd48243cf07f5ac00881aee2ba4b68c5ccfbf0548678cc950b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c313d5d5c559dfed1f74bc8e04fc29c9

SHA1
7ded45062e769b312544013ad14db9aacd6a58be

SHA256
71e8547919354060ae0d33bcd7620e3ec6b6a6c3d83debc92dcd379d656f5418

SHA512
619f392926827d01e2d7538c9fd7b440c42a9787a9a69615ac2e4bf70b8f3891af3435a4215e030b7cab1b9990a5b196da581078421f97c8d32f90d8045423eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
be5fcdbf3c1f3a1d467ec659098fe799

SHA1
488f39a0ea4a446423dd5470bde9850fdaba1408

SHA256
a3eeb2d0ae2e5a7572f45918497a19246281dfbbbd3a89a11281afad905f2e6e

SHA512
97a7c11719afa96a80ff8d1687847e2ad87ec0449e4a2441f2a3f58ad4a5606d1b1d0411eacca00d6ee8cc35b35b1b5119af227d85be365d493d36759b077c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
6f148c8fd1f5dc53f98d5cef18a85663

SHA1
1b470c501a4b73db80571b705aa44286ed555f24

SHA256
564d783a5d1603dd3db8683c295fb601184acebf8e57efc257380f303b601435

SHA512
c9365f3761065a5de3f68ddf1c905bd4d6e8b7a3e2990b3d0d81e9ecf0c0fddf743460d44b7e311abafa63a52647d049e6c670fbe25ea0d8e27e3efc06950079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
824237369f3d9645d0d43ad1fcb565e6

SHA1
5ebaae4efa3fed05aba618d3161adc927996b6e5

SHA256
6fbeda7ce4c5d5e9e8b345521f48c4271b5fd301e4f01361bb58d998da95ffb5

SHA512
0f1c50bec6c53723a9b7857f1bedb22c6b89d7a521cd1cea04d016098283741f1ee4abcf6f4338e151d78c9bd5f17c76adfcd705c05f5c4813044c0ff5a33097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e649.TMP

Filesize
48B

MD5
5ad11f19a49d5fd76f341d64182f08f1

SHA1
39e5f684ad534839b288f12035f5c0ed46fa758f

SHA256
9d6043f4efb8a10d882f19a71d3f8e0ec7e2a19da5c97982cba9adff476cd3ac

SHA512
6b21c26b6e6796ce8d2a86e5e736724e0356f9730471919e1a5be3611c8e29072f38327c6be4fb8e6a051b869f508fb0d56e6d8342861313c83690377ed28f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4787318542dfcb7eaa8f6d76970ad03

SHA1
8ecf7a8dccb92381c06f2462bfa33ff38b46760d

SHA256
f56bae25bcb4e9ce9884235d03c0a31e3f653bc8d0d18dae69447fcf62ebb4a2

SHA512
45cb505c7123cfe7c3706d8067e90bd11c5261279be20ac978ff3f62935e1f7c26cfc1f9e8eadad25fc1466b33a5bd7d964ff9478073269c360814cb9aad35bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f30c6d1b9eb35881c0578aedee94ec0d

SHA1
ef4a251a65c3464adb96efe3b66421c711cb374c

SHA256
dd5989ebc454a6e2e8e63e54c1905fbfdfb776303647454b4138b506dab0daf6

SHA512
9fccd87ccab2d862a5163aa8b0dba17541c7a86726e11976d1064686ab7a044b4e513225c51a1e85d259ada3de103fee538f0f0f3cf5456a2fd52ee590d0e997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58461c.TMP

Filesize
1KB

MD5
0655f18fe1de5c65a60b3fd2241c0630

SHA1
0986d9749cbf7ec3fabf707424e081b3d96d3495

SHA256
883aeb0439c049c354813d4fc172fa8ca828efb181512d24c8ea19c98caecd2f

SHA512
b9ae0f195dd06ab25d0ca8ea47b293af2517e13a81f5f7e37cb027c270bb7c6bce7775bbd2e90e6ae5d8ae4500e1fcf7fa935f33464f2af03b2558a882371e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26f7acc1646be5a211d079e43dcb9dc0

SHA1
a362d4c17adf079107109afc9f4716190d9cdda4

SHA256
3feb7abc4e40e9d2729023b3807be608004b5b4da41e0a51f771cfa5ce5c0df3

SHA512
b93938dbc19f405f317c37b33f86951e2db1b8893db85cb9d6aabfea73264a155b1831ce8713d7cedef3a0ac5ce00cdad7c396d1f34c9860000f043642861bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2994ab1e7b8f0791ef70d04f9b16f8fb

SHA1
9f3377d8988534f76a687cf80bebcd471576d706

SHA256
344628816b1316a4bfdc1c6fb234d2f61aa002a2247f9097fbaacdb290a3d7b0

SHA512
5bd161803b3b6721e7b9ebd6d86b3884ba0d5b3ada793c05c64d09bad3edeeb9b9d100a1453f22a106a71740a40e1914cc5162fcc9afed3e6a6f4a9f3afc2a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
730329fb05fb697308598a41797fc519

SHA1
ae02b861cd7146cff8cc95f81102e0eeebb55d0a

SHA256
0c3b9a2a90dfe699accbcd34f96c49b5e9f6f3ceb79135ab940fa6f94c3235c4

SHA512
47a671880310bd88698ceb0cfc5373ecc562b7a5db40bc7f4aac84926e8044ce77ab963d3ea76a155b5d32c46805a08f186552849c5891b59486136c6eb04d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\851E.tmp\851F.tmp\8520.bat

Filesize
122B

MD5
4e252c7d3f06bbff08a74b7a5ae4d566

SHA1
5af0ee7e8b8354b3dea0b913ba379650a6b5c5b7

SHA256
4cbbc25f33818cf7a13976282f05f093091606701de1bcddeb37eb39613f7f3e

SHA512
599b384d9ac75f50acef90a149b552b11e3d844451117003d2fdaaad9e6c7aa0d69619af6cfe0a4a1822df00208152bb83dd7c329ff1a4c4b399bcd77641dab4

Download Submit
\??\pipe\LOCAL\crashpad_4400_JGKAMMIJKLOROXVQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit