hxxps://bazaar[.]abuse[.]ch/browse/

Resubmissions

20-02-2024 04:23

240220-ezsv5sbd83 6

20-02-2024 04:21

240220-eym89sbd65 1

17-02-2024 20:07

240217-ywad6sba22 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/browse/

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

77 discord.com
80 discord.com
82 discord.com

flow	ioc
77	discord.com
80	discord.com
82	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2398549320-3657759451-817663969-1000\{A9C6EA7C-3870-48A7-9123-BDB675D4E96F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3384	msedge.exe
3384	msedge.exe
2568	msedge.exe
2568	msedge.exe
3012	identity_helper.exe
3012	identity_helper.exe
3016	msedge.exe
3016	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1020 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1020 AUDIODG.EXE

description	pid	process
Token: 33	1020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1020	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2568 wrote to memory of 4904	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4904	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4476	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 3384	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 3384	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe
PID 2568 wrote to memory of 4836	2568	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/browse/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff134846f8,0x7fff13484708,0x7fff13484718
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10450102504529954742,17159629700031689634,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
8a16766d299b342976972bcbdb05f3e8

SHA1
dceb8d5d3682dc129a8ed3980ccffcd32e1fbe0a

SHA256
fc8f33cf22843813c0a7e54ff6482f3aa98bdab5c4af7740a86d503016921b45

SHA512
7a76b64a3f8d599ec28fa2bcc193f8f4e3682e5b86d2168f7afe34ccf4cfedbbf354e7d9e7c3f67b742b24c7fa58b314cb3e4f8d1e10c76e7f0f533b7c4866f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0100aacc3f29196df4df19ae4956064d

SHA1
af5fe2951ebe9edb222c1aa20890e06997fc1bee

SHA256
bed45befb60991e9e99f4b8d4459c824c4ff6214fcce985e6be7be8ee36b9fc8

SHA512
f97196cd591b1bfa7bb7918ddb71a5d0b1ab71fb947f3e92ce967ccc01f89223632e89ee6acc16af596a7d0b600ed5d584c4b58bc1148120848442f42423af85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
42f3dc9a8b3f79714eb4014aab35efa5

SHA1
5d1fce3928c51ae6c8c2a147bfb65a4a4393e650

SHA256
e96bcf230c8e2baf7313c38e1aebb26f334862ada53c5756ac280e69ddc19145

SHA512
3b705b976735b984c28bd0ce676e8ec0f269f327ee6a3ab99a88ca61d76922146bdeb4cfb9f08964227e379d6c9df9ed5d5df5c2eca1c8e7ddffe72b414784be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ba071ba81a12a6689d5527898a6f3490

SHA1
2d95a77e2c6b1aa20b09c59f0c6301e842583a13

SHA256
32fb27b888c310d4d2ad65d4feb936fac8c5e7c02e14ff4f65b58e1ae04b463d

SHA512
6e14f6f3c5b1d666a323a698ac00037ab59f4dbddba949018845cae6abe15963511abeace3363ddbbc75cc4731583ff4eede2a159dae0e36bf4e332be148f0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3cbbc1a45986eadda89028f0df1a38d

SHA1
48b1ddff97ef9b51fff8242d72570dfc09fd3865

SHA256
d7cf054f82a4e8b411fd2f8d768e67e6986abadbd46090ec889634ef1d81e72c

SHA512
b54c3092f7c415cf7612794872c04a2d5c9eeaaeb6c828c2c5832436bd2a700385214293e319e521fe00351e3d15358674ccc4b8f9238cc9cd11e33da4d5671a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aeb6e620f07993ef51e8edb0404bc09d

SHA1
e3ae43698be0dcae55eccf9b9cfb73315dc0dbbc

SHA256
876ff384905e16d1dea087af863c99876fe28f70a8973c209dafe74afed888da

SHA512
b6030946a588c205ecd682789a2273cad7082676b9f574cfeb965caf6d4cc02acfd245f115c64f57462ff642f29e6b414f9d4e7087d0dd50e0208e6c97aa9bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
129a831b7141afe281e77df55ca461b7

SHA1
85dbffc440b09f9b076d71245d0edd7ff56ae1f3

SHA256
dee3945f79ec843be751c2852af930055a9d1256104c9d0ceeb3faaba2e9f24b

SHA512
5127f234113699d254c96b91fbf80a3d0c0d4f2c286464494215b6815047ab3490fdea15439354bd53bd4f1dc1d88d80476151d89d1a5d797825781be43489f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbe4076438cf98bbd09d62fca41140f3

SHA1
05eec15898619fa634f2bfac990b7805b5545ede

SHA256
bc5b0fbb4678cd4131125ab5b463c0eee0078012fe7bc3511dafe3aae42b7a4b

SHA512
c8e7a98433825a5a26e6e4d6b1eb2f43c6f384fd14df2dc230933fcd3f965b0fe4c4ff16b05f67e52cf6703e1ba4903147bf3f5d9b23e289692dc6a22c9189cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0ff633901f3b30dcf3dea2431bf3763

SHA1
10ff8ddb166addee61c650f3e956d8165b69b2c3

SHA256
77182cf030e979b7fdaf9b97eef18eb3b9e5c26b83eb53f21b23264546c86021

SHA512
39a6158772f57e2b44a5337d7354a3decf9cb74863c87c2c53cf9a6bc5272c2a5125fe6f22d0dfa8efaa7cebb15b49d66d5d6fa933a78e81496337eb41fe771c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f468bea1489d825dfeddc0823d0ce27

SHA1
7447a607247aadd8306af3ed8ab45e8b768e43cc

SHA256
7102178e9084fd89c04b13269ba1233b26e3865b0c789dc3c267966a8e9d9bb5

SHA512
ab9e511c979c388613a432e2b184175cba9701920c1a188d3284c3ba0da111f3647d5da9eb82848730c1ba101e8bd0c691377e1693abc12e0df7d873d274808e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3f9528f14f2a455546c50902d7dd2eaf

SHA1
5340728dd78cbe91f741d84e820a912b938f2ea8

SHA256
3df8b2a1232f8e9f0af3a90d80583676aba8657acd2ecc9269e5159a13fe7529

SHA512
b61f43db4510577f0b07d1994b63fe92e2d39dd23aa3219fe03e44fe19ad7901483e5e7ed138e06a2e9f85e00d0e147d42ebeeecce645a1c280cf2aaa9c76110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53d551fc638cedad0c6b6386fc6b6a29

SHA1
c6a67d0e148a4102a9c7015daa89fa04b3e4f16a

SHA256
d62f918cd79169695b2b53bce386d40bd6a2c5ac4f0d243aa1da99519bbf396f

SHA512
cb4c1bec71ed4beddf419de703559a4e040b7d92a97d00554f9c1cf3bf5d35ece8edccf432c779a57f38adb9c912b4ea4fb480fd2caa61890d9b751595fc5d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a448bc71048fdfb6b98c992961939fc0

SHA1
ec6bb1b9aff0a1e79abcb9c2f9f29c6a5c71f8fa

SHA256
d0847ac51b5f5fafa1586b8c71b032f5cb875fc142df76cf29bf06e32b4d84a3

SHA512
803e778bfa915c95b1b8c1d97b0e617798898586ab343f9a116798b259d52365d303ab37fac33f3a1eb7fdbb66ca2c33547cdabc1ef2769928d5c9de19c487f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9058130c9e6d60b00c2afb15f3455f6b

SHA1
4a0bc634c3d5244175b0e8742d8c3185b77feecf

SHA256
d4491bd94a018453bce054c9718ec2b44aba74f50fd82e9b47c7e5c4829502e1

SHA512
c86ac4a3ae32939d2be60c8c53b2e8f664683802e102707fbebd8123beee3bda7d5b6ebcaf96f5d9e4dd3170afcf284e4e91833d0a2103efdac299691eaf2b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
3eb1b155073d0148d1c7ab5891223dde

SHA1
72d09091fce149c25123436712915c517ae1dfab

SHA256
964662f967cc899f931561d6113249c42333f384a80f22c57c365f8cd640bc67

SHA512
2b73a24bddb0ec4032d2c7b0c194300dcb05e151fa4009b4062f9ac2c83c37fac5bf59a75fac6c41d4aadd4036c1ede90bc084cd8860191d46ba1321d676a4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bd0b52a097143302cc549bad740e40db

SHA1
dfe3731ed2b076dda6098b94f84c873d350c854e

SHA256
404dfb3e56fe9267e03b480c48c84a21ba98878ce126fc83d03260587f478ddb

SHA512
c8e0881bd4f5a90f77b7ee25dc496ef5d74a25ade7ccf8155c06191ecc4b1ef95e298d30d8a00fb4de28b5b61accb9e9be3dcb9e0d4d31e777ee26a88a1cecbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97496ec6354d01ec08f2157560c8aef9

SHA1
41c9d8429511a9061f830687bc7dc245d2aabc40

SHA256
298474f3ae2d636251de3c7ac1578d8e53ccca82ce8d191cdad6dff4a73ef196

SHA512
dc27f36be80d627c046387e29938feb5963ecc06c73e129be5047c00a818405b0a0dbffff1de8e8f8d990e729840bb93bec80c3d00ba75e9b04055ebcde38148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584aa0.TMP

Filesize
370B

MD5
7ffc578f9759cb3ed6349f3f240d0a64

SHA1
79c39b311f87580f44275c82ea068cf47d7ee9ce

SHA256
a15c86a4fd90fa6728c42157d9a8c09271d8544ed6cc21c81cfa258659242299

SHA512
c9a2277841c41c0e91ff1d08c223212ced64b6464d04575be4dde61d08cde0a00393159e8af18f73d3ff9004d6e09ac5961dc6da62d947729d15cf3ee9027657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a50edf73d5d50cb8c8d62951e04c9e17

SHA1
a27a6641393b0d77548c3b3742a2997d5acfafae

SHA256
10ffa19f9ec57f54b4bba167cb2e95fea0eeaad65a0f0a7d6b7a7882af05e165

SHA512
08d93cc0fda1f3e21e1aaaa9c963f7c34407e0929ab67fd163c26e5582b62e9be088ca0a6a89b398b61a84e5f0a565138546330cc983933e7d77ffebe24e005d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a2f246a285f7ac60e52433fcc401ce5

SHA1
aa991fabd84ce95b4f93d2ce6022e6aca5016d6d

SHA256
be63f981f6fc71eb92d6aefbca01534f8cb5b3a68e9171d231f7301205fca2bc

SHA512
d85d394eec51d3599e98de123bf69daa56c9f20ec25e6e2247d5e8d1c626c95f39557fe577b7aaa959c2843b92924969775e72228afb73a792f10b57c591d963

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_2568_RAKTJDJMYSCRMJYL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit