57b45395f28083f3c13b57d762180b2230ccabdaacb36dd18c23bda278bf811b

max time kernel
973s
max time network
975s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
07/01/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

login.html
Size

26KB
MD5

87c1e83d5ebc2066f648df574f384103
SHA1

db4bac8860fe248807f4df1f6beb96c4c0fbeb6f
SHA256

57b45395f28083f3c13b57d762180b2230ccabdaacb36dd18c23bda278bf811b
SHA512

34742fa57c3f2524367a6746600d5f90cd65b66cdb7071840db0c89672d1c51ffbe08fb81c0a9d7fcb7ce06aa2a62255db35ee2caee90f9ee55452a855aa0d05
SSDEEP

384:wYm5V77sGGzK+TpQn7M9cyqy/f2f/Yb6WiZrffGfMfg23syZj5XCqzGX3O:1+scm2f/Yb6H93UWg0syZ9n

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-334598701-2770630493-3015612279-1000\{B8D3DC64-5212-47FB-B048-68E6A650FC2E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2020	msedge.exe
2020	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
4008	msedge.exe
4008	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
4532	msedge.exe
4532	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2560	3636	msedge.exe	84
PID 3636 wrote to memory of 2560	3636	msedge.exe	84
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 3412	3636	msedge.exe	87
PID 3636 wrote to memory of 2020	3636	msedge.exe	86
PID 3636 wrote to memory of 2020	3636	msedge.exe	86
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85
PID 3636 wrote to memory of 2796	3636	msedge.exe	85

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\login.html
1⤵
- Modifies Internet Explorer settings
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffecb223cb8,0x7ffecb223cc8,0x7ffecb223cd8
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=216 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3524 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1916,5044367510499032440,18032680933225318228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
24KB

MD5
e63f9462cf80af09a6b2760fd142e795

SHA1
0fcfff18a1b43d9fe4d85cfd6f537b00b351056d

SHA256
e892792439bb82555a9febd5bf7d4b954628ab4cb77476c79b7748070424dbae

SHA512
42243c7f48ebf14c905227bb2543aa5aac530bf9e9735af4c8f0655d880d0ad342d13bd8d8932e7ceea088e5170e68e413898b9a53c215e84175de6cf10d1607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0580a8e1646d7bcd_0

Filesize
14KB

MD5
7a38e6c0a205b8d184286e5940722839

SHA1
6f943a99396207f154e7c651dea16d39d0b2c906

SHA256
6963a26187dbfcaf607e29d8aa11ace4b2e6f90633c2ed60f90b0d155561386f

SHA512
9aa7a3bcec5d94bfa9af1662039e9a3d812270cbda988c7a75fdf2ee7468cca9c83d6b725c28ce5ea45f9089694f28b239290c8e0ce999a532537ac4e1a6bf7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4c693273baa0190b_0

Filesize
5KB

MD5
284fe668408f509f0be0bd7442ebf4bc

SHA1
7b82a0ab35f7837dc40f7ecce0d2b017066c205c

SHA256
8b5255b4cbeb98fa2ce5b432a1c3edbd4000fc85d7a3b7d0a6841635b4ceb9ff

SHA512
998ca2b49e051ba36bffb1ab7240319a8df893cb7a7b76f6157890b76505eaf7bda67ebe478e80c803740d93da52698bbbf1a0362b88f18cb96a9588e768dddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a56de25fe34d7b3052dfcb8351e4e77d

SHA1
7481d702d3d7b071783852c6361b87eb9b29f169

SHA256
431a998647da2759a2447b67fdb96768d2e2054f5e0c01651381b9967bab3d8e

SHA512
aff4c85158dc2c82e0181262d44fed35a692dfdb260276a19a0ceb3b6dc3cfed87cbd342e54d3dd9a0b561e3435f907b78a93e784e6f3d60b2beb3945176ade6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
de0abdcdaa39aee6129dc12fbb7212dc

SHA1
95dda525e45b06efe229d4cb6292341a26b46fbe

SHA256
e39a9ec30dedfd147241df4a4217b3a69d8f9406c239f6e92ca55b5873a2081c

SHA512
8148048f48fe713d0e203c5ebd3cb9a02f7569d0f800584e460fffdd66dd6f29947b92a6775d89cf5d68bdcd2bc364ad2eff251622e778f9df5f59ca371dafe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
78bf46a990edd352c15a87dec438772b

SHA1
41f8426e43154533915e6b31e00d24f3a7ce93fa

SHA256
79e0b8a30564b93d1a61a933c32ffddece62703064b61b695095edcbf6d165d4

SHA512
ac2b86f9be8c37dca7a61ff8120f22cff7132227a41605fa0b9f0a0fe4a70b57c039a3fea2a221eb4eaaad86177c0116b9cbeb34ce5c86537c91f8be8e3cb9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f4d13bfa16f1850f43274f18a6d81f36

SHA1
87c5142d26ca5a05c91c536c00464934d9fd159c

SHA256
df679dc5de537484d92466fb951ca7f4f89432820c5688703628ae7a1e0e1cf3

SHA512
cb5fc1a5d63ab48f7357410a3526a96585eeccc1bae126880e904cc0a9b94bb63e5d5fbeacd1884d9d3cbf3ad0f95d4255bc66fb94bc8f915f0b443a78255fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ca0b250468f37321b06e8006bc12104d

SHA1
a990536e9fc39306f0828592d5deb1ba3f6f2941

SHA256
2d8850db33ed919635618101c377a133196c790efbaeb06534cc5d486377477b

SHA512
c474fc4de9a23830af3cb6d03a583b330f505b736b5a20bd56987f83e9abb707da197e26e319124746979a92b6683b21aea752a9392949b2ce8bec7d36276683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
39a229b9ec7af45ab6c344c33e31b4d6

SHA1
6f3941c7ac3d4da2a9f4eb70c51d60d0885f33fa

SHA256
979acadfb7ef01dca0167ad22d481512066d5b4fa8f3c83c1cac52679b782fa2

SHA512
cdebc861db2c60b01dd64229095442abe0450df2115ddd856f2470a5cf9e7b50c2500bc2c9536df1e65054ca53fc7829a8ee8bf7936ca63a0a020912edfbd975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
30d0542c926b2db6632edf5cbdd60f06

SHA1
c38e94aede7f58359e6f8de1f54a3b1c881587f7

SHA256
50845883ed2308aee64a6cf4a5ed7af30018db026ef3743b2b1d8533bacaebfb

SHA512
d3b0cc76850fa7a898a56f7df20a78a04c0f4c2fb70d77b997505354ec735ed344106a9fac622e3673769391b350a111708ce8aeab12abb5721cb81ac2846517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65b4bc01cb831cb9c4e6d3826541e95d

SHA1
1db1147567eec79b76d5376dfae47e01889ee9c0

SHA256
a3849df09c94ec49513377b741616e69db99a2b594dfdfc048a41da492b4e938

SHA512
00c1b775f19a4e0a65d371c931732d45c5e81a54d737e6e023dd58020a1290ca04425101cc0d0e25103a6c24d0e79dd3a7ba7aaa70a0683b9185caa51ec8115d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac567dc7efe765b452bee2ed99677abe

SHA1
0e29af20cbae5580d81b697e418c4fceaf7d0aff

SHA256
78e89c337fd682b50dedcbe5bc09a0c52e5149e53223d5770db54048ee0fd3e2

SHA512
7b7b712f594c44fcbfbbd65f14f8c6fcf417e5471a9f1d4c9451fff30f77267a1e913ec4e83360851714ff610e172a82d9402003dd5963875cbe1031291d1c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
87df1412ab9d6b93dccc55e3ed797b01

SHA1
fee319191645c7acc8bd38898c0d93dae37f6f43

SHA256
0745acb4e0ba0410a11c680d396bc0b67b133b93f476f36dae11dd03e321639d

SHA512
f07813af86aff365d3b1de6017a6b0e4f04a1c88463a29d39dbc8017c24d7f9ff00a8b528bc0fc31e4a28b73d4686397174ebf0f43efe17addc61e8929da1d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bfc2af5be2398dfd42a24de99041a098

SHA1
95c4d3aff7deae8cb1daa2392f7093704be0aaf8

SHA256
680410c4f12e4f10e685bcf11fb3e494ac6fc21fee323443b95d3bff3febdb84

SHA512
34e4392ed51dafc57220b8b7c14400d343f32d139178a3daec8a62c71f29141481a1a6cdb75095aff2ea99063ed7fd2c5612506883e7220ae6139ff1f7dd25da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46670e54ed5085bab2611e9226d7b3ce

SHA1
bc8429250049fd6a82e2bc5cfc59faaefd8632de

SHA256
ff726512b0f89865898a98922559cf9fb2027782609d8c5974b1512f73d977e3

SHA512
df5ef2598e93a6afd0d8718e50a5d1d8df21c50c8c930025a2f3b358b28be9f38b9b99c69170188e0776a487e64db0a77001a5b478697dcc1fef203f33b599a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4a5270f9068760281363e09207e98ab4

SHA1
00127aecfa1cf0140b49cf8636bba1add432812b

SHA256
89a81d7bb9ee6c05b9c00aac07228aa0b797615744f410a3578ef5af50d9678b

SHA512
fe997645f4cf7f205c11e469dec8b0b3165ae7bbc1f6f674115531d143827fd20631bde8d5be480e5f01768a170908507561a368e9617f535bebcfc411931f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ab01af09c552aeaa30c8f41faf7ad084

SHA1
173a717d64b1e282169c337344c85587e3ad939f

SHA256
900a0a5f2a775c0193c9f2010b389de682bfe2866f5553d514fc1d342715aed9

SHA512
2c14e5b680b131dec566038988d13d8e89ee64515f47f3f5e8647009efd60e45d45398841a509df948427278cc51bb9a99bbb360e8ecf69282e90a1ea493c38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
835dae7f9d5cd4e4c3c9c954405eb6bb

SHA1
19da73d415bda72bd0273caac25966faf442bdc1

SHA256
c20e3a0e142e4a7026574e2b4cb38c831801e62e0ae6491fa0a0f11a0bb3ab5f

SHA512
8b07b84f82986e59d6239812387429e31e6300acaf50c7c798c902bb5f82afea857061e3623e47d53ef180cc8a4a48d67d061dd3023aee882aaa46ed3707f3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18ba50bbb54c691e258d3c0e4fab5517

SHA1
784d9c76e3501f706a76b09ba830d952af171e89

SHA256
9b229fd6fb4fe7e857461cd072b5ebdf06f58d0b778477a73bd108e1ab572326

SHA512
f10766981da7dac2085acc93e19a49a5be2a0276bd13de0cd16869c96b175c965c98f330a8d78f2a8172545cc243dba6568839e23b067a6b0f742ca6135c7732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5237c40ac223d0506361a0b24ccc062e

SHA1
a27857aa07a0bfcbc244d68bf6b2e3b7a2dfcab3

SHA256
7d4e737695569826c340ddf12e759080a4bb723309025c444c5957054c73940f

SHA512
8299395333b7e136ae77180e11ca06d074ef24931c5ea5c3f8ea79c29b5f0988eb2f00779db5e271cf56b49fb43781e40e0d1a50551cef2f141759a4e0d942a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c477e788661aa6b691453205b120f9c1

SHA1
974ece6ce8a0880e61929e826ccab81415277813

SHA256
ac54032e6a0a24bdbea86ed61aadf682da7a2933b31dc1e4678484a77100416e

SHA512
e79d408e690a6dc2a0513cdb02a072026f9fd0710329fa02555d926d52d0bb16bfc582be734978df0c5f084e506dba734bd6aa0ecc961f8e392ed0d122092327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
55a0cea179bd00811e4e9d91d6a2138c

SHA1
9fc813e95e7926f783542cf17a409684182bb8af

SHA256
5349345127d5ea1693504d6010415862ef6c6d73f6079ff70683f7e55fa6a2fa

SHA512
1997340f591aff4197b3b084ee0a1fc62312bdbaa3fe5ba7fafc68551d7f3ef93c336baa5300bce3eba0077239f0fe706d0c4d8ab05080eb7c219a12b97ada91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc363a68088a83c53bb055f4e15c2a97

SHA1
cdf76302e2dfd7c0ea31e157d119cfb0b00dd08f

SHA256
9c7b5f100cfc1f165d405708529bdee009dbe8670b7da6df135b0d3385a59279

SHA512
dfa60d17bf4762e512e3fa239eb759fe7142cb1899eecfa4c6e4b674fb6783194d8bbf53545c577acf01ee6f8ca733657d815aec05da184a786a87b6edaef18f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
5KB

MD5
85ff285504722925f70374a5b5de3781

SHA1
54d997893899521ac41ddcd62f31ed3431c43a8d

SHA256
897180302b6fb73eb47eabafc8b8efede9b3fc8d95df01a0cd46f5e7bec31c06

SHA512
955c3f4f3edfa613407e7c262004883b8f8a22d4f0fff70a494f8463d529c2a6b335d09c3c86506ce061e09aab3becb24ea07d64477076c556dbf62f7f607c25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
7addbca83d839f254baf8c5648f1337c

SHA1
01fef6c9781594d7a82923a9c7596a83b115875e

SHA256
127e395d7a439c3ec7a268e049d617a7bd6d35b6a3b122704be9f4b0d5c13e7f

SHA512
e760b89bd544088a9aaeab19b3205b097035d8ad3eb57e975056b5c5a82b08da003e02987214d1d755368efd288a1d74e0f6b229584915e190dee4dc68e8c130

Download Submit