hxxps://belastingdienst-2023[.]online/

Analysis

max time kernel
582s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://belastingdienst-2023.online/

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000c7e06e2ba805da01386bf189b705da012b2fb271060cda0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
2800	msedge.exe
2800	msedge.exe
1420	identity_helper.exe
1420	identity_helper.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3476	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4516	2800	msedge.exe	89
PID 2800 wrote to memory of 4516	2800	msedge.exe	89
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 4108	2800	msedge.exe	91
PID 2800 wrote to memory of 3032	2800	msedge.exe	90
PID 2800 wrote to memory of 3032	2800	msedge.exe	90
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92
PID 2800 wrote to memory of 1292	2800	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://belastingdienst-2023.online/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe818f46f8,0x7ffe818f4708,0x7ffe818f4718
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2184,4308344128618519407,12459587285750176608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\01b9c92c-332e-4360-af6d-446f87e24b7d.tmp

Filesize
10KB

MD5
8a86f37c2449898e31f0df35061bea62

SHA1
38a72e12d062a04fe6594975e7e5fea306c1001b

SHA256
38e7f543b087d716f27da2791e89cb0a4b39a2ea1924588f16bd42fa06cd5f05

SHA512
2abd0dd13a5c3e61662efe54374d1fe1ace84c3f6d34fa2c4199d225880633b89c73d2b68c16a8a50b900e51eaa566347d2111253d0a39cb096b76afb0397d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\70011610-96f4-4dcd-9436-24e55707f138.tmp

Filesize
6KB

MD5
40f0aff98005062d3ecfed1c93dbcb55

SHA1
b9d644c5d6e6c42489e203421d71794226517d8f

SHA256
8a6cc9c150f8452f64f830bf3ead604d4e4246c0d1682b72c64fbd3cb04b1a6a

SHA512
c4e241f038637bd612e3f004c6c6d9382a4807c11a5dbe891f597592a911e75af7328e27a926773b247f9a304dd9e0148a16b1029b3132c3eea53bc05bfd0639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
488c5c22912d9a0e39d54bce71f8341f

SHA1
84ac62c7e8362bd0c84ce3680c39979cd411ebe5

SHA256
74e410da1919426d0e8a9e98b6dc06df4d231d755ffdb53d92aa44f2ea327dc1

SHA512
69b8ad64c932bf3a594b3bc6acaaef109d3b342f1a4de1cc225188f8812970fbd02213aeb63874355734bb29874870ae9338c33c013d2a0b021853f4d82ee60d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2c196e4ddb91510653b6eb52b24675aa

SHA1
038ac09ffe90492298a04588cbbb5a79d6ac2c33

SHA256
78934b25b81ee76660db35488f08b7dfe9c7a311e2b8dd96499bc9bc8b5fc5a2

SHA512
503e956928ae1e264fce46cf9fc01012b4da8f5c4d6f1dc4fce7892e9406939f4bf24e94b955d81dddf756b1af9e0572611b01aa3e3745c21a81cbc837663181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
340B

MD5
205f3e7e34ff8892b42c62f1c7ed2cdd

SHA1
8f896754a8d94822de4fe9b1766efb4451d872b6

SHA256
1c2ff8950a9cae91cee089b6e6b034917df23f397d5f668f3dd5c57246dd0cc3

SHA512
c887e6bcc07aca9f74650901cb0c2efde081ab7e8698b3716c7f00c474d066848217b8e148e34fe0263629ef81ba0e98c97ae5bea709db195f9ca9655bbb0c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
407B

MD5
c2818167ff220afadd99de2b2d3c7e8e

SHA1
52d386911a8777e835cadbc3f4a29212bd663baf

SHA256
3d1deaf11b4ff5a175ac4c95b2712b69f64fbb79ae2bab9009f61d14be7bb29a

SHA512
93dcd35b45599a3922a53043e10b7d1763cb15b765e1c52a45fda6707ee56f733a73b38b5cad5943105d91902ecf2cee40f9ba46c852bfad80d06593db31100f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
420d2cc10fbebe4417b6f40a7514220d

SHA1
c33a069155c68da4588b1522d0c655ea36bc0a38

SHA256
b491b2ba3a33c2e304ce512d3f280cfd64d4d70967f62ae6268e6142d8bd3847

SHA512
fec11fc7e5e9e838ca139813ef29c50ddc12ad3a757e694680848b487b6e773a98ee0b7a92fd3d0b580664e7d95e16783bc6bc8bb2ec851c7f32a3722053bcdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
130f93a78429495f9eca020a9ec3aec3

SHA1
b126fae2eff4321cbcff1c453b39ed801e1fa9b4

SHA256
50d33fcf9d813271d7b6b504bd713734eff3d40c00530ac8bfee8ca10ae4aede

SHA512
2786b593440f77e73485121638791bb609334c0b73a722ee6a1df3731c86111e380954a7b06946709101be6736c384ed0067323db16d40294b683087f1291e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cde50e6b3a0b57d534cb843650d0720

SHA1
6b782642c7786494da23cb53e48426ec048670b8

SHA256
196e5216744dd8b1b21c7d3af3987014a67550d33afbbaad7d6dbbdd2ef9b9b0

SHA512
3dbbf1b74c3d489913ba1dc8fb8b295e79e04a0887c481e5ccb17ddc259282ef1b33b4dee90b4bd84ff2557843f7e0e8de652c0c01214ef09ca551caa360fade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2e25a11890eba2266a660644bb66162

SHA1
40f5268d1105e05dc3d365837c059a7326c1273d

SHA256
135dd9c976175ec08df33750a0c713be1f0fb61850fb52621230cc5596f5e356

SHA512
2dc1a75f6311c0baa6d2c3aff8a69c6ab59ae63149329812907db9f098f047c0f484ee8ffc4236982a1c02a51e55b1f40e33895eaa6a82be287c276859d9c6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e42624a342d73b598013c92e212d77f

SHA1
39244ceb6245d442a05f488463f188a7370cc351

SHA256
60c0c8cba4829bef82db28cbf4606db65cfab52192be04af6b5313151019dfc1

SHA512
d895e41c39aafafa467e43942f7f318af7ae198a8e39befd044141cbaadcf224395a57370c6a14175c782ef9353a5b19d7c6c9d1ab88afbfeebe53be6cff1e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc21d0f1c1ecc4e9c45e8d7e8e8acd18

SHA1
b0e84a878a85dbf0b37dad4fed3349cda8c8adba

SHA256
918f9ad20bc17fa1e36843c84e9f7bce9514162086a023f083bb46967095d05f

SHA512
a38256f5557007f35b1632b3da1ef2dd96b95a655449f1adfb7582e7dcef78aafa29b6e49da933e32ee4f164fc5e71d6f81e8c3219dd8ea256bebce5bd6e3eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9525dc19fb1a0a82c63db9c3538a56ba

SHA1
fc8567db9b16a407da7b41ad6221279e801bf930

SHA256
a0839e52caa589587aef3d09b5ce9b8018b628fa3346fd44db9b9a3a6fa09e60

SHA512
ff39b805d209ea326548f26a73fa41421e1cb5718bacf803084aa6b99971b956d145a47bd14c92c8ca1aa973c2a5e12da4f9d7b3dba52c7cb323ce6c829562ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
10ffcbb73a3ff6a263ab74897d790f9a

SHA1
a54ecc2f51c2c509a88d85442295b6089513c26e

SHA256
884d5a0bb92c5c68a6b7c07fb53203f69e8dacb339843921ebd27e936c9bd335

SHA512
e5c7be9ba1a1f4d9d3aab6806951dfa36883828af5d6d86fa4d8f8ec3d198e79012fd16bdb2725f6a453d3d7591fd8537d229f04779ed29653788c04211a097a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d91e2.TMP

Filesize
204B

MD5
9d1c0a0d2765edd546cb7add238e2768

SHA1
f4463b55bfb3caf2a22dc39d218c633c3d129df6

SHA256
3fb97733568d56e1f61b26e7f3415c1c00d75cecc9dc980d61f9d6b56deba6df

SHA512
403ec72065d496be286aa9af1a060030870e613fdd259c729c68dfee365d1fd227a8cb1dded2203d0706f615358fca4b3177ad19765a9fce7cd097777324df91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ab4e5594b7a8fe3c0720700d7f01a02

SHA1
03db18dead6c88e0167afcfebb8dbb6128097935

SHA256
051f04fa1f32b588d702be987502faf0bd55af0f81927c7664a2090a68dbc729

SHA512
5b388cc0d740f633e64fc4cf2a7a031cbfafaf01f9bd9853afbf29bd2ca84b1c35612cebb8b779bc5c60679461d5495f7bc4ab157c1e70c1be7b1f95f6fb823b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b085308cf17173babfd540d69f9e0085

SHA1
4ebcf8e57928d0047bb13d125b2fabedff7af92c

SHA256
d63ac80da0d6b98374c267afa7340c6927f2ff45cf89350ab34f8c344cb5df05

SHA512
ba951fceb105f6e63e67437f4762205119e37968b06437f2b811391c8c347d3ca237a8f9b75eaa1397ee681ed8f3b5e5c22f888e1f24ec2c48d578b3973ad2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cb440c73ee73da53b174d7a3b00ea4ca

SHA1
91b724e9e4b2e2ccbce30c3200d8d81f5e7d826a

SHA256
c909b01ee9df1683893f3766fa368a56c6d6823d338577ea65a7e6c34aa0b3a2

SHA512
5350a1c70c157b841b977f5d7371ec4e85f4277d90150ac7d0eee2cdccba0eebe83f321680ea6e234fd906aa2d7fd0a06f255c37855a5abdc20e70731169f648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9b5967d0bd8029dc82c839d0d63f1450

SHA1
d3b7034fb278f9d9847a7ae196f98e03df134922

SHA256
51d0af56deca197f5806608d9c39bd2f432f808aaa318ad18b81c446531dd44d

SHA512
671c43aeae08a9b699297e77c6ccedf235cf961574abf34df5f171bf3ef73c583b592bc6590a51d27d131e52dc3714b8843b5feca0e0c3e48d8e0f8c7b0611dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit