hxxp://google[.]com

Analysis

max time kernel
125s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983843758-932321429-1636175382-1000\{C01A5329-408E-468E-9CE8-B0252EA557C9}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
700	msedge.exe
700	msedge.exe
2980	identity_helper.exe
2980	identity_helper.exe
5444	msedge.exe
5444	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 1608	700	msedge.exe	31
PID 700 wrote to memory of 1608	700	msedge.exe	31
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 2780	700	msedge.exe	90
PID 700 wrote to memory of 3788	700	msedge.exe	89
PID 700 wrote to memory of 3788	700	msedge.exe	89
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91
PID 700 wrote to memory of 4308	700	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8248646f8,0x7ff824864708,0x7ff824864718
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17688166782018650582,12968564767127859795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x4e8
1⤵
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
42KB

MD5
f8883ab9c4a452a0bfe3c5cf9619db86

SHA1
29104a6e1efdd389f07f0f3e1730de95746967da

SHA256
427f528f5d190e0e3275d8a1fc40bad36fede3da064b33f29dc8fe6e614ff2f7

SHA512
f6c2211dd8bc6824ff179eb48e2d1056c5aeb2ed064a13121a69edc8cd256a8c5f4add0e91b28cc72d1db2cec73d64cadb552bf76ac58a4f765b64555e8a4598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
44KB

MD5
5e725876afc3f9b5eb47fd7577948ed0

SHA1
fce729ab7efa55525d47968322ae1691f585e868

SHA256
e74d491cb6d444a8845ed5da956030c3f9a9ad7ddaa8eea241a350339917eea5

SHA512
c2550ab9fb00c16fa6d87166cd16d88212a081e82646489b69b31c24d8ac69c1024ef30ccef20a9751f949c7cb679e28c3c25a947e8cd338616d193b569c6e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
91f17fcb554299aafbc11a625d02756c

SHA1
166c9d995e744a8d826f2e87503fbb6771ea7499

SHA256
002497a8b88f0725167a62918d73a1a0a63e103f3b98e295dd3e81f773ce649c

SHA512
c58efdc0e0035522e0874ddf14276296cae50eb1906dcf0cea373e5e489c6325ab876277e0a80978807950a175c2c1abea490e91533ef2c16c5cb463aa6cf02b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
0f066f0d17eb7c8dba355d92a9e2fb4a

SHA1
e774ea42fec13c2c8db6eee96d941817b0fc4e1b

SHA256
1c22200c476f8a743fe8fe43bd0362d9884a651ae16f783cd1b710ba31b905ee

SHA512
065fb1eaaa5415b46e16335dca7cdacdb767dff7e84d19a7afedaa9cf7d77c310cfac2400ae3d6152b3d687df7464cb81ba1d92360b6b31d95e864f5c2987f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b2d054fe7b352d06d55639fac5ead5b9

SHA1
9b627c5dd1882f0ffb33d4373e62a50fd2766e2f

SHA256
f6947e40b6387630d783b6ca4899151100ec8222a15ed6e53cac3778a55072b0

SHA512
8a6265904b2359d247d712d3683bd57ddeb7aa06b2857e824dc02fc0b69854d54453bd5b6f40b20137a64f58b7ad0b974778be70f88a78f3b9df7753425a3719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a90d2cd4fe831d86b86fda3e77a6d0f5

SHA1
645afa6c5df2a8f7589251d7510e6faa3020f4cf

SHA256
bfb7fad3b78019bc00d16b6a9e62d66181f8fd27e3dd5aa90ac7afc03dad10be

SHA512
84ff688b11f4212f71382380232a860113fc17fdf4552892de99bfa1676b8376a93cc584310e3c774bc26a766d673f1da78fb91ceca25a470399800d2e3ec4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b76fd69b805518f406a4f87df41c9c2c

SHA1
15b3b2c3f4f89afb7ef7c3c908e2b680af6d083c

SHA256
72cc3960e4c6b818e13f51df67bf71dc33dc28fb08220ee315b7f0fcb30ea85b

SHA512
1f7261ee46a8bdfe0942e750169d408fb8d98a9156fb57d7349f3ef7fd3e8761b2627b5b35e2fb75430855867d386fee905eadaa1ab9b4a1215bc9b1395f08de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50acf7ed4c49c658b4c51dff1f386461

SHA1
c59ef32d9d7540cdc943ddfa77c6d0a179bb9837

SHA256
a2f31708bddf23196a63e66334366d6ef119db149dd762afbd6ba22ff6f1a135

SHA512
eee38c037d979ce2c267042c10c0a3fdaf545b1639d6c96720d4b07847406ba6e138b96ad2a702c5f7f5ca75a45064733d6a4de69c36666bfeb6bb1a87a235ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
815e30da10607f81841e441b084f27e3

SHA1
52fd9cd20af2ab08e0adecb1c9ad3b9fec6ce7ca

SHA256
a90941d8d70e68ebb83ff144f466fd772c3283f16719e900d973926be1ecd217

SHA512
8253bb6e4d80972ee2c0a86c107ab34173dc09a8a428891266727f8fd238668f1cb448f37bf02dc973a3d7c9e1d4a29bc6641f88562339d36899edfc18ee1616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a3c02a944b35354a95b2ce82a9917f18

SHA1
46e5ebaf989b0188faf688468b3d7aafae29c25b

SHA256
40107c125668faa6ac7b31911bd2050bf229fc3c0fd5efd8eca0ff52cd17c7ab

SHA512
e5bb61c48d592fa8761d0ad125de0d92bd025195646d9c207ca129aaaae64c3c5d0b8e4ae94c80a346a31fe395c8e556d18334ab8c696f41e0f07d9a94d3193d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
41ecbb5593b0be5f5402c8cda021b47f

SHA1
36c1852d59ca1398494c53df2447b8979c9d4d54

SHA256
fe20c86413186d1c88f5095a35596b89e1fdf16264124a0291d6db53083b884e

SHA512
75e76fab6486d2b8e099638c6f9fc775ccaab26993ae3c86486e90c72844cb8bd55d5a943dc4f199c1c3380917940db4af074e1e5f8381c338d0e5d74703b870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1b02838f59b5073ce4be81260d261eb

SHA1
41a0f040fd6da2f99773c4447141a49d1ee7a973

SHA256
e11f428eada29c8f5b4d5cca0b490508961d54cc2869a5ca6d1d5d8037df237d

SHA512
36694a6c58b0faea6be5d9910f2557b4c0ed8ed24290329bb9e3a98ca6e2eed759be44a798267a97e6ddaec6aa7db5145c3201334319063bea98378ecbc1e0f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2bb9cc0e3f727cabc3dc202f7bf37c31f45f0eeb\5ff4ab33-1828-401a-8096-f3a11337fb90\index-dir\the-real-index

Filesize
72B

MD5
50bff0e131f3fb982eab4feaa4a6d920

SHA1
cf6d944cb71365bc079e2319221b5b4d23218201

SHA256
5c083e71caf3ab92675f88517ed0f969687b6ebcbb6be83cc29851b596b52d48

SHA512
36324d149c9687bfc3730cacc83d49d2b9e5cc54de8a12d68602da59eab35809136557ecef05cb39d3b49ca3c072dac1e220ba6fabae48fa77be7af66de7860b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2bb9cc0e3f727cabc3dc202f7bf37c31f45f0eeb\5ff4ab33-1828-401a-8096-f3a11337fb90\index-dir\the-real-index~RFe597843.TMP

Filesize
48B

MD5
5ed317156195d49a809d5bee46295b34

SHA1
f693830c18ad6c2bf061ef693d43f6d67d9eb2d0

SHA256
17035deb048e23c46ae08b50c148a6b6716a464913dbedb6b94058a67faca1ff

SHA512
e42f882cc4ba8008aa37164b4316de82286b99208c2624c7da7106ca79bd6218b9c7dcc0d95d767e3ed7ebef623d57c359400821b16799fb3b8ab4a7995b6bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2bb9cc0e3f727cabc3dc202f7bf37c31f45f0eeb\index.txt

Filesize
120B

MD5
5981c9eff70747b83d46546ef1c5f8b6

SHA1
babf188a09af0364277f6ba580cb6c2f47504d31

SHA256
92f2d973cd6d02e8b6dfc5e59a7336bf2dfd993978c4d07b35900de650adced4

SHA512
80b76f92c801296e61b571ea75adbf4b43095cda09059efa17905c9a09cfa5f2f357182d280844a1d59da4c9a75a0ef1a8c34d13f7bc97c95ce0e37ad148b496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2bb9cc0e3f727cabc3dc202f7bf37c31f45f0eeb\index.txt

Filesize
123B

MD5
7a60fb03cc82fa40bbfaad48da116e97

SHA1
b639b0a1a6023668f977728f4cda6bec67b6680d

SHA256
01778ae64ffc6516ad2ee224ad009d6016bc1176167a947a02c2a57f095a3b1b

SHA512
cbc2703ce737dc0021c3b55c11ffdd199130cf18b7876cc00dbe156157655dfe6a6f4a033be81a71b1dbeb5382126f72af904d91c5b1cb423dd0052d2cb3a540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2bb9cc0e3f727cabc3dc202f7bf37c31f45f0eeb\index.txt~RFe590a47.TMP

Filesize
127B

MD5
8f9eb9fd13061352e76e2a76508ff469

SHA1
58106601cd94b0a5bb87c34643fadec6b125d8cc

SHA256
f32b7d4337871f9a55001ea55e1cf83c0c4e879238ade0dbfcd4d1382bfb287a

SHA512
8d3d6105d8b45a2cc3d1edf69ac3d2da94c5ccc35331eb5e15ce3a02f55df95095b5361b988effa73753886a9ed7bffa2a9f688db164f107078e4a39ebcd0388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bf309e2bb06ad8fd4aa4935a9e2c73f7

SHA1
c6cfc8fb1895c3712cf6ce32452ce92075d3f888

SHA256
edd9716d3c566e18afadb9ac8232142247ab4891d3b150497914de89c10f8328

SHA512
180dc23921843cdd237984dd61a7cedc576b5e330cc65918b86cd9205349e153d554346e3702f4cc457b9ca8092cd7f10fd84985f0eb9be367636810b8f6b0ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c743.TMP

Filesize
48B

MD5
76c5cd20835948eebba0c06a0682e916

SHA1
a963ad8c45dfd0bbb63402497de99c7f960479f6

SHA256
a6136725696ed5df3e0d42ad51d8be1c484ff8528885f52f8b49c1c297439c07

SHA512
90e0fbd6313dd0a1ff4223fcd97f82daf79a7263bab13dffa07736b276e679458d07d7b37f5527474c0f838ac975e778824670d7629fe27fc36171e36e9a3bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
b2798ca2464c6e658a3ee3e9f415f446

SHA1
bfdbfca86d1f82b2733bb594e8e6f387ac173515

SHA256
4f8ba20edb9e78f530e467f6290e88e7dc90d7b22bb1a0f4e4795359aaf40e8c

SHA512
8b54ab5fcca430871370e7b0282ac6a5ffb225f91ebc796278961ee0656b4b4ed0710bbae34d190199eb69e2fa24c6cf6b198b14254d421c85a41233ca183b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca4b6d01eec8ed8419496148d6e5e9e6

SHA1
79151901164eb186bdff225e747aec206a33bd8b

SHA256
8eacd0f514a43fde36a6da6414bcbeecbdabcb53bd0a861ad933b4c179abec5d

SHA512
ff1b4a109d59e0bcfc37fd8f1be8cf4da965fbf3b231d2be8428c258d18e16f8d8e577c060a20a4eceee570129cd7531818418deb7fde32091f1224b3ef325c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebfa512fff40295ec5e325d406db4ed0

SHA1
de64643e902488910c9b56ae380962b11d0cbbc8

SHA256
815571326169f28e5dd909fab4b754e85db37f7ff9dc665880c1a504ba0a7e3e

SHA512
6250a8002d7ba07700cda00f84c49b1936104c67cbfc5b5c09d52af5b88d14916c685a43736eafad2f39eb3ebffdca1331f456d5afa34f883f832ba255d81041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0802c3181a6c671a44da45b9fb4b0c4a

SHA1
55f01a8a5f9114b74e3fc907ef8034e2b6b053a6

SHA256
c3d957fb78b02d8e3ff9ee996d8ab62329eaf104d31e4aa9854745586152849a

SHA512
8ad9d73bcc8a68b9df6e0633fbeabf154b87fe84c403d81afa18029f37f1ec3ef0467687029dbdbd1d3d8df4e2411a2811de91ada1604d7a37a93425515db9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d70e9859fdb2a3aa4158a32c413ac252

SHA1
cb3cd0871733769b67c17c40e4ae9a285f4bdf08

SHA256
c92bc66c1f6102eb23dd7da01bd9b7b98cb85d0ee8d6927aa6a78f42eb987804

SHA512
084adebb23c6c6d15441a9eb49eafa1c1486a67b38fbe73b4e4f72485a13ae509095735de79289f2c7ee99e056baaa31354c667a2cb576a0a07e23fa0e9753ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2fe4eeac556c4f66ddfe32b82e9bb9a3

SHA1
2fd38a03d24f69fff09d3f39ea2a071ee7985856

SHA256
143f27cf0814367277dd83e5c414f9bcff90a280d128c25ca40aace72184dd22

SHA512
0a0f87bfafdf82dfa94bb00e3d9f654d02c7e4abb0c583d38f89556ca5c8fd48b644a42d32f029cc810069249d389f1011cd6c50f9017e371a42b5ef975f811b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc8942e63b8ce86993246c6a04dff23d

SHA1
75a8ba20fd563b4935c8c6807293896362ffd432

SHA256
051b816094fca5d22fb2ae88b71b4768172fdd9ea0da9798e5194c27f11fe4d0

SHA512
ce7bbbe92a1b0a3be6202dccf3c87b92cc148004d7a2371bf57811e06efbe178fc81c5389def2bc3742207fcea83b581dd127a249b0e11d1011e686c8453b179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583841.TMP

Filesize
204B

MD5
7a7ad2a247df3cbabbbf620fff4e70ac

SHA1
add8aa5c171f9521a816e50c989639951a423909

SHA256
b9f9ec93aaa8072bc15de5996084463e36dedb622c990063314613253ad44d79

SHA512
19c85e982458c3d0c64721f30d5aa8e17123a471d42290170dc856f89b2e683d4995fa308f480169fbfae2e965135eabf8515d135326793f014706b86b46d7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15d7fd707cc6af71c9412b0188894cb6

SHA1
bf4b0b349104bfa2753e7be7c1d14589c64e29b5

SHA256
200905ec89d8dc55ed00c4c3fe5637dac2f3a1322dc15083e530ce43fe5a3922

SHA512
a57908d2279283f49352dd2eabbd37b84bdaa1c2944725e574bdc82dc8a4b174a489d143e6ccffc9e4b702c4a04493b221bd8fd4b0127b5bdac53a3f3c24b6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad27370971d0be3b7524b2486eadfe46

SHA1
014c036f60b563ab7336a4d3e603c2f3d43a0c13

SHA256
c5c5add041a2a9cc48985a418ad44d5f5198014de48e7e8e7b4bb2780d8c2687

SHA512
067b2d966dfa7990be422c2338d458b164a9c58229c55f36b6a9125c3300e92801027c19398bde0c64ee3a4ccd522877f8f353c58f70cbcd489703ecd5b71d71

Download Submit