471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Size

56KB
MD5

a865cae4f9a553fa100932e8786b80be
SHA1

1c691b07fa9c59c1eb6a993723887a9ac08b301c
SHA256

85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f
SHA512

df149155fc97c72f9401826f614dfb16edbf982b64c6fb3d7302526cd9c4ee8368dcfdc666c1c1fe2a522115176042f135723e9390ed4755fb35b4ebddc263e2
SSDEEP

768:9Wf9/O9lXRyz4M9XyTm/O94NOYXkGQ40d4Wg/i+Pet+F/O9LiAU3UF3333efYZCz:9EmRyz4gOmxNOYXF+yzTPSwjH33wk

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe\""	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	icanhazip.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
4808	msedge.exe
4808	msedge.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
4480	msedge.exe
4480	msedge.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4480	1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe	84
PID 1832 wrote to memory of 4480	1832	85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe	84
PID 4480 wrote to memory of 3452	4480	msedge.exe	85
PID 4480 wrote to memory of 3452	4480	msedge.exe	85
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4644	4480	msedge.exe	86
PID 4480 wrote to memory of 4808	4480	msedge.exe	87
PID 4480 wrote to memory of 4808	4480	msedge.exe	87
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88
PID 4480 wrote to memory of 3456	4480	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
"C:\Users\Admin\AppData\Local\Temp\85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fileice.com/LINKHERE
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f37546f8,0x7ff9f3754708,0x7ff9f3754718
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
    3⤵
    PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:8
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
    3⤵
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:1096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
    3⤵
    PID:2628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
    3⤵
    PID:1528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16099571261230456287,10657198956161464120,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3912 /prefetch:2
    3⤵
    PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3166dcfbc22da11a439151ce5501f8f0

SHA1
4f86705a106713664b43babcc6c23ed85f501316

SHA256
1030d63944ec6e069771d6f4ce0e3051ccb88f07a97d603e208f45d076e0040a

SHA512
0c7ebbae1ec5d2e69b6b6c7a15dccd53af20859575edaacce1ca4ae261642994baf705871092f13a9724cc59be438e48da22b699452222cdc8e1552bcc7fc462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8ac586b5943aca972b24095d7ea2447

SHA1
183fc0e86daca4f9361154910079ffafd233d568

SHA256
bba7255d979901b857aced70d138d44ec1cef87f7803012bce206597a48feb3f

SHA512
264487ce86ea0c3d7e91b6410e457a070a7a1927f9d31286c49c63d0b235b1e24d43362baaa8f16f9b864790dfce92f97ba96b40f86162a8231ba27aaf18f00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a542901c-4853-4102-af6e-1e9e46c36e2d.tmp

Filesize
10KB

MD5
a6eb3bead44836d59b546e1f1c56e688

SHA1
54f3973e0d10561df93e0b3bbb4626f2217353a5

SHA256
e91a1a792183f59f7d4f3f048eb6f05c87feba016f97c5cb3d5774c365f123a7

SHA512
bc88f339a802008a1f29752980b0ee6faf33d1a7c76c1d0866f35a4c38aed2b9023fb230b086e0b3f65e1b823ae177cbdb11b94a6b8b23f2259a592a1f2f6221

Download Submit
memory/1832-5-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-7-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-6-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-0-0x00007FF9F5E45000-0x00007FF9F5E46000-memory.dmp

Filesize
4KB

Download
memory/1832-4-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/1832-32-0x00007FF9F5E45000-0x00007FF9F5E46000-memory.dmp

Filesize
4KB

Download
memory/1832-33-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-3-0x000000001C030000-0x000000001C0CC000-memory.dmp

Filesize
624KB

Download
memory/1832-41-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-44-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-49-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-2-0x00007FF9F5B90000-0x00007FF9F6531000-memory.dmp

Filesize
9.6MB

Download
memory/1832-1-0x000000001BB60000-0x000000001C02E000-memory.dmp

Filesize
4.8MB

Download