hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbnJCVDEzbGZCc0RNRDg4U0liWUhoRkhaeTd4UXxBQ3Jtc0trRXBQNWNCQnlYSEhMVEpmWGtmU0lFanVQbWJoOVZKckZaVnVpNndCUVMtZmQxa25jcTVhTUVOSkFvQm1LSVlncUNKNGhtMGo0dGhOelg4T050TEE5Qlh0ZllWS0dEcll3X3ZQNnFvNndod0RhS2xvNA&q=https%3A%2F%2Fpastebin[.]com%2FVHnxgyBQ&v=FPJDE0Jgdio

Resubmissions

23-02-2024 06:43

240223-hhcdlsch7t 6

23-02-2024 06:40

240223-hfmrkach4y 6

23-02-2024 06:35

240223-hcc3yscg9s 6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnJCVDEzbGZCc0RNRDg4U0liWUhoRkhaeTd4UXxBQ3Jtc0trRXBQNWNCQnlYSEhMVEpmWGtmU0lFanVQbWJoOVZKckZaVnVpNndCUVMtZmQxa25jcTVhTUVOSkFvQm1LSVlncUNKNGhtMGo0dGhOelg4T050TEE5Qlh0ZllWS0dEcll3X3ZQNnFvNndod0RhS2xvNA&q=https%3A%2F%2Fpastebin.com%2FVHnxgyBQ&v=FPJDE0Jgdio

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
43	pastebin.com
45	pastebin.com
46	pastebin.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3316742141-2240921845-2885234760-1000\{19A25466-3D08-4645-A93F-043D82E821DF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
5112	msedge.exe
5112	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
3008	msedge.exe
3008	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2256	5112	msedge.exe	31
PID 5112 wrote to memory of 2256	5112	msedge.exe	31
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 3760	5112	msedge.exe	89
PID 5112 wrote to memory of 2592	5112	msedge.exe	88
PID 5112 wrote to memory of 2592	5112	msedge.exe	88
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90
PID 5112 wrote to memory of 1924	5112	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnJCVDEzbGZCc0RNRDg4U0liWUhoRkhaeTd4UXxBQ3Jtc0trRXBQNWNCQnlYSEhMVEpmWGtmU0lFanVQbWJoOVZKckZaVnVpNndCUVMtZmQxa25jcTVhTUVOSkFvQm1LSVlncUNKNGhtMGo0dGhOelg4T050TEE5Qlh0ZllWS0dEcll3X3ZQNnFvNndod0RhS2xvNA&q=https%3A%2F%2Fpastebin.com%2FVHnxgyBQ&v=FPJDE0Jgdio
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff9526f46f8,0x7ff9526f4708,0x7ff9526f4718
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13707590655287032862,1306982566735768073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x2ec
1⤵
PID:5348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1af9fbc1d4655baf2df9e8948103d616

SHA1
c58d5c208d0d5aab5b6979b64102b0086799b0bf

SHA256
e83daa7b2af963dbb884d82919710164e2337f0f9f5e5c56ee4b7129d160c135

SHA512
714d0ff527a8a24ec5d32a0a2b74e402ee933ea86e42d3e2fb5615c8345e6c09aa1c2ddf2dea53d71c5a666483a3b494b894326fea0cc1d8a06d3b32ec9397d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa6f46176fbc19ccf3e361dc1135ece0

SHA1
cb1f8c693b88331e9513b77efe47be9e43c43b12

SHA256
2f5ba493c7c4192e9310cea3a96cfec4fd14c6285af6e3659627ab177e560819

SHA512
5d26fdffebeb1eb5adde9f7da19fe7069e364d3f68670013cb0cc3e2b40bf1fbcb9bdebbfe999747caf141c88ccd53bd4acf2074283e4bde46b8c28fbae296f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2fb547ec9cedcb09df6ac759353e27db

SHA1
7303ef132c334adfeb16df9feb2cba5305d8fcc0

SHA256
89e6becea70ae0214b6061664d4d97348a3d4a4e89f264fdb45fbc0c60abd7b2

SHA512
4167a7ad2011b0bc0a07ffc347660f5c02e1aa1da57494037b1abba57e9d4ccabbeb84b32ca841fb990da7b1665877a9b5f2edf59b5a57aa4e2a0b1c0f591a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b3f15dc496bffc80d53b34f2d1b8cd52

SHA1
1f4c915e9a7c42ed56ba9d9d9e11a624bb171649

SHA256
43d090aa2bee204bb3847b5d9ea2813006e8e7a2b5e8e8383e7be57f27fe40ba

SHA512
05c38235451befddd86ab87062857a1a7f67f53a9f0abf5574556233492e1503da996189602643197158b5f1200428b8c494aa04c0ef136af95d11cdad12b207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6395a671b785b8a53980a343b978a96f

SHA1
9b22195c200c60c57a2565664abc52717cf3d8fb

SHA256
e47f2149b04cbb9453b56635d36c3c5ff79b0470fe7d4e13b1bdc9e75e99d1eb

SHA512
1bf13c8030d7108a75aa77d45aa54dc129586e8a12a70e91524050ddf4a51665be86c56b503efef810680a3b345f715cb38d02140cee5bc3978442c53f84e395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
771358475a715d9c3cc113bb796c68fb

SHA1
a02274caa8b22624ab720fb65ded7845bbfe3e91

SHA256
90a458e225d344579690a447e0c5dc7bf78946025bfa497fda6f93b93ec649d0

SHA512
9fcdc7809bc9cfe8daa8ffe540ffe98731f932bec2ac80e61329a2010852a4de15faa8eff8bd38ec1878bd49efd562c1d1cded6526ea8c088f74072881a5c245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fb41fe638810c5a35f4fcfa76001fec

SHA1
e5fbe5e1fae7c0774cf6ac170a20176f9744a0d9

SHA256
1ed2a87c60cad81c2cedc0b3d953af1f98b2f57cb072b8a28923c3545e3c4868

SHA512
681309e7a349adfdd811625a0801f43d3c664d67f35d0ea8beaee3080335a00840f1c97316b9480f85103436cbd4dd7cd403293ff783c59aab15287c91b385e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1751c6b0d174e1b80353c1337c027bb

SHA1
18d7006d21b1c2db81b375a21b70ad8d0e19554c

SHA256
89a47a43b204c9f1315c8a2aba90694a457d2d06286ee7531868219bb0c5947c

SHA512
603ced1265262fc3090e1232a7bc500df1101d5184084282e6802f0ef82997a4e83c4a2d8da869359abe63493286917acea269cb0656bd8d371d07d44cde8121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1be658a626bca2e5cc26224f66ee7d0b

SHA1
51041a228064583e368bf212d60b7876a92ad20a

SHA256
c4eaa5b4681dcbede1b66fa38b4027cd407c1925417c628774e886467d124e42

SHA512
9b6c7c841d8cd1dbea7f5522bc9e49f0e144f72a9d10df43b624995321a60126a5140b267157581e9acf85973e442f3c9e9f07c4f376add68a425d92d6904cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0aed06c4c90f7ccfc27aba79e63dca50

SHA1
8afa0e910355899b81a9516eb22f64cb3588d5f1

SHA256
4c83a169af6774b587e0a2940cf403054252b1eafba5013c22382a427eac755a

SHA512
c9dbd7d4dae95fa173fb75765e362d89ac5e51a96643ba3af655dc01583f009f333b749b937a4f0fd5b90529bf8e724342e8a48ed121b5f74761f4d73b80e2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8869856cba82f8080310169169d9ca2

SHA1
57220110e678292d12fbd661f2990a405be3e20b

SHA256
d83358bae3f6b02aa69e7bb9d4b93fe190f1cc9214203778f2ce33a5fd707ae3

SHA512
932de647e18c3cc6c21d65c89939f9288795cd3716e3aeab802ac8f72d8ffb74bdc468072762403203f755b3f429b308a07f5049ab01ab5e6309c97ac3069f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24cbbc8048d9c2764ed593f72edab9d1

SHA1
aeaec877ccf4a62dfe098f2c048a0d62247cf457

SHA256
8b96092296a35b3a03ef638415512505508b5235c50f5b0110b708d45214d586

SHA512
eca0ecbf130ea0290926ebfbd5df1a1444c0205621136240395d4bc6a6912b70706daefb76e87739810ba99d9ac9a89e44ca430af4bbdb672b8f2805377f560c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f686b47f46df8f6fc03c6c0b2d123147

SHA1
6de6bb197aeca5d79268a7fde56990bd1bb4056f

SHA256
1e6906f6ad67444d5f0985e01d00a341d8fbe2384de3505b4904abab84f9ba50

SHA512
a93390fc3bbd5ca356918526253ffec74f5cde177ad6eb4fab5a83baeb0ae885abd2cb9501d3d4550154b2fe7e0de0def42c69089783f0591c01ee944444348f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a009.TMP

Filesize
701B

MD5
6f7e3e3603c4ca9d7051d37307802978

SHA1
b34a4b585fc3caf3baf083f3c45e5af64f198f78

SHA256
a45d7f1f88b1ba23ec28c4b988243f2a88946cd5b2fd098459dc9c7b56529c2e

SHA512
5f61813cbdf0d22fa3924dc72ead28eace09105a04b1e655b7e290fceefbc7534ca55a38d3ba6acf0c11559b08ab777c8968014d8aef02747b27e9ecc2ce8ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5c3b9bbe18bd7445d645abf7060c7df

SHA1
35b0bac0d24ba9a3910ff8553eead7bb3e63c24f

SHA256
7dccabc141d3e30f52e96e2ae515c9458079b8bdebc52a87c0880a1b293cce3f

SHA512
e1ccd0efdfa107020f40a40cbd5ca7a60638e25edaa144d9f7094622ebea3dd09b5cdc642f1d4e2a7c47915042587c18ac1d1320d9b1064c0a9c301a7628ffdb

Download Submit