hxxps://encrypted-tbn0[.]gstatic[.]com/images?q=tbn[:]ANd9GcT4xupzWIb5woeBQe-K_4x-EPOOdfNeWw5tw_yU-TL9gPidKj5lyh5aMvMpl9fu4XrhID8&usqp=CAU

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT4xupzWIb5woeBQe-K_4x-EPOOdfNeWw5tw_yU-TL9gPidKj5lyh5aMvMpl9fu4XrhID8&usqp=CAU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{8922BDE6-9C0B-41A1-882A-86E3D9D466BB}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
3100	msedge.exe
3100	msedge.exe
4224	identity_helper.exe
4224	identity_helper.exe
5376	msedge.exe
5376	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5220	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4892	2004	msedge.exe	90
PID 2004 wrote to memory of 4892	2004	msedge.exe	90
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 1468	2004	msedge.exe	91
PID 2004 wrote to memory of 3100	2004	msedge.exe	92
PID 2004 wrote to memory of 3100	2004	msedge.exe	92
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93
PID 2004 wrote to memory of 1212	2004	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT4xupzWIb5woeBQe-K_4x-EPOOdfNeWw5tw_yU-TL9gPidKj5lyh5aMvMpl9fu4XrhID8&usqp=CAU
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff952db46f8,0x7ff952db4708,0x7ff952db4718
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2464227927871241881,17828327942132719409,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
27KB

MD5
7771991e13025fac892d4eb15dc6602b

SHA1
0ed9253b5c8f3b9c9a6d2082fb24d0be93234dbe

SHA256
23e1be00497c5a56cb74b7b519e0029a0bac6202e1b1b0e32c57c75b68314f3a

SHA512
185ad33b1419b9800884821a48996b6b963865346d37a7436d42f830f10eaaa78461d27ff47aaf462bff4d0f6dd5c1e8f945e3dc86cc79ee6566e5c225fbdef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
63KB

MD5
071e4792c5f9bb26de2de170758bbac9

SHA1
ccb66d23c0635ede4beb91f76e7ff3f6078a763e

SHA256
18fb0bbc6c45ced3d8b5cb872b4e2922aa6e3d2cc91342667b087845d7957b58

SHA512
de4771f5f73b26feb0b4ea870f5452bdb98c81affd7f841967df13b6067c52b325a787974c84f0917af597ecc572546a8f2e6fb5c2369e17dc806c72e406e813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
73KB

MD5
71ea693a9c6fcb790dbf744380729d75

SHA1
de389db6e38b1c28d6462c9f201bdde87a9a925f

SHA256
d8d8f06d8d0781e71bc0fddd0fa750b77d2313b2fdb9733f4f7993a7e1f98455

SHA512
df3ab9c8da89767dc3e5c56e85b0854a9d75d55376b24d71a526fd60fce435fc6871208a8f35d3c6677c5cb7486b0ec554ddd71fcc06f1198abed4714ac00314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
90KB

MD5
63e3ccb19e63d520b437038b0acd9d9b

SHA1
f1771adf8bffc6de75e7536d7a8f4e29bc59238e

SHA256
6ac3f2415ef1f9a00b5136286515fb7180a65a4b3db285f1f3dc33e641f9fc1b

SHA512
8cb75e66393176a6f879b90f3a31d7f5eeb20b3a2e1ef3b7d8f2dc4f2b2d239d3837b15cbd38783791b40936e2c4a095903dff293ecb43310f78e473725795ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009a

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dafbd6895262bfb81a364c9ea2f05ce9

SHA1
6ff871bb04668879c81eab53d4da9ad1076a06f5

SHA256
8a9a7fc04ea93f2d42639910b63de29878cae43c400e14ddb88908e511b7cd13

SHA512
0215635dc51e649692dc574a2b0fccb1ae8d9ba61994079fb66abb3395f3dcd3a6d5026c9992072d31bee6af0f04ba0e37c7c7a9cd1b1989db8206746dd41aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eeac66aa8c511585bbd364d6e68c10cf

SHA1
93de87ae3cba8aea9ae5c05a57187b1be331c27b

SHA256
84ece73bb991d5fa9a25fa96422f833e609c32655f76fa713408b52a28203445

SHA512
055ab2c73225fd4cd068ad4137485c46f91f40fb87105cdf30d5e5246b03817a522f2dae6735a6d022550955b72d225ac511b292e1408ab5ce306311a8881926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
86cba95be23870e8d61a03dc04504a37

SHA1
ba2a195938e873ced582db7aa23797ecbe098e0c

SHA256
64309ea039cad547f0d445b24b90f3c52f78ce7c0a6df1ea20f6279b25dcae98

SHA512
34312e7774ba43c35563a3cfb4191919208a8f7c45c62d1ffcf277bfe21e5d082d961e9e1df56bba2fb3d68783e7b69c80c6f21caf9062030507712bcd66fe18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7640774dac9759a39b4f4573d230107f

SHA1
764cf5f9ad729e22e28e6d2983198ff75fd31c24

SHA256
eb00e32a338d19d9d25d0727504a82a11896a0757184a25e1598e488a15b4eb2

SHA512
8ef36328ca807654be7760c8a7f7168786595965d3133650880ebcfc169d2ce403c25d4177e6a7b09035b5cbe694ba0d70d4462dcea0d0ce2ed49c97057ace64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
091821736b7b3cad4707213e637cfbf7

SHA1
69ca28af877beb0bc61ffba6a526bd212a1e22f8

SHA256
e1914b078c9e612c907905612ec82b908ba6b822cfda019c775c885c74d5cad3

SHA512
ded86d795e875bc6aff9e0f6f2bb6bc38824a22f442bfedd6e87e5fd13fa12ce4deb36a1a89d16b3c628f652dc3f56aa5f923849c765934319dff802254a5638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a07ac4b38f18aec48054ab90d329dd13

SHA1
b9ea9c6eeea3359f6137aaa8e6c8a4debf599918

SHA256
413a099934ee04ecbbfb5d04d4d7df297ed983f108264ccdaffeb985826106ad

SHA512
72a66b827f9f1608e81e5a0cf3a53aad131121805aa16b1a038eaeb010a178741dc027f1377531f5896d27383742226d70fb60517a2afd9cdf35d444fc1d0410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
20068fc8e442da072c44f261f9177a1c

SHA1
c8ee3b9639b5872438975fc51f2464ec81d58f54

SHA256
23b1fb32833569c84c5ba30831660c83fcd12ce036c51a90391ea41b61cab668

SHA512
95fe211320265b08f99fbb14c8a824624dc2236d347f250c911af0d28a48b8343dee3b2758f4c829563a2e26111cecad382415e68ab1b0839339c119fd50ea12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3247f9be972afc028055b13e9e0b7bba

SHA1
683e63217da941540f83049ddfc6f07932713f0e

SHA256
a091f66a44c2b9337a315980b4575bb66ccd789c57a39ad89f7f6375c29df811

SHA512
2c0d98bb17342779a5707f39bf2614eff16ccc2107ea634b90840c0810f042f64d84559143cbb458d764723e5593d0c0831c0b74ecb8649c6f4e69c0733c4d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55493508afe3cc5f032f8b8cc78420f8

SHA1
4bc6811dc670f9f8c79455efce5ba7d1b4928943

SHA256
95f5b4208fe7a900c0b857789661611619c1db866738ecf20fd8723c4d461d6d

SHA512
858e1aadcd073d6ebf02ca1b778af13afbba50c6847d889983ddbb00a731566fc128b059700fd001c74cd30e1ed4ec9e42242e29342fcfd7de057504f58757eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
abaaa2e6a71d46ee0e3a110f60675a50

SHA1
de8c420d0772df5725b10f0a003ce6b90b27c949

SHA256
a5844156f338894aa22c2616d437a9dbcb4a640ce341af9bb989c9f02155aa7d

SHA512
7c226d58c59a5abff173e63ed86ee95adf497b80cb88eeabd5d50d5d5bd9fcfebc1a3d1e3c4c622fe6e40a0a64414fb3e560a325f16ee079c72d7e67b8572815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
eaa93d7a8aa76ebe420a951da85ea62a

SHA1
c8778fb7d2a997bc7c999ad0cccbf40e42b6f929

SHA256
f7b1e2d8db00dce991e9f74e0cf42efd51f1d5d47d803e3da3ab84832a1d5e9c

SHA512
9d2817f964e9ec0c8096ab07a4b8a1dae24786d029ae04110274285564bfeef6a9ae2a1dfddcf6f0320c09333c25249ee738962617d59714ede1dc796b15930e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d3afbe62b2fc8d30efc3e4c3e804a7b4

SHA1
0f139730b5f1d912bac88c004ea3feae3f37160d

SHA256
afa04787157f7e2a82a45ed70f445b451a8a413b0078a8b43115c8dc3c980d93

SHA512
7270d16a7302d29e321826ec6466a514791871059da9a50b2207a4a989e8f4ca449efbed6f2a57da636e8f954fbe04df4b475edbd6113d5c4b6676236e8920f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58072f.TMP

Filesize
48B

MD5
819df9ad589b63f512d7504693a03ac9

SHA1
c9e727cbf9fe4606e3e2cbd7b1ac7466a3252198

SHA256
2c5c7f33144c25cbb4fa030ed2d8d056a6a9ced882d702ceda8ed7f0a1a958f4

SHA512
4deeae89254ef336aaf0be5f488f211df53094706791f08698a1dbafd02037f9650a44269e2b37fb800c4026e2d37d1f748ba2708c61bcead7cea93e16a3aa42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5e752ecf8512dae6234119886ef2871c

SHA1
258b5de35dc2f844737c284e2cb9bf7f6c50e6be

SHA256
88954129243a818df0a1ffb998012aee9e6f3f4fdbcbff1c4d8bff89782689b9

SHA512
52db77a8cb5047973304745b969b0ff7d3198f2ae652fc916b1568869a081b3151c32f487bd36dbbda670f6bcfcf31205f929951e0ff2b9cfc73ab54a03b4085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de3249676d7dbe308d1b3299fbec1004

SHA1
c00f8ccaa3a58f0b91a43d362500392f6c34d984

SHA256
bd729cc31dfd15d0a5d94cfafec39e6e82bdcf389eae00916225485858bd4253

SHA512
85e18626540279ab5d4eb3fabd61d760cf5f84410eb5961f4c3c99403ec4ab26d898712c6f504245494d133b761606d7b005edfe20264aa8149ab07050dc3292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9c7b5b170fe8fed0d4472af53507057

SHA1
084a975a7b8e9d15b5e356490a32cb84b5900f1a

SHA256
9d38ffb66e4a81f724a454a7019deba56d0ff7e4ce521dd0bcfea45de50c43de

SHA512
ac476ba32b6cb96c3a34e959b078ec4f8130cb14fe536d98129830f89e87bf569a9295edf2e535747e5ab6cc9930280ec2f4165be8cbe91f67f1b165bc436cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7a4deb227925ecbe270f494f4a299ff0

SHA1
a2bb236a06bd3606a65167b3b90d51adcc7c1b57

SHA256
1e344554bb1693bc57c73605043728067fa6ddb175f41594134cad1a69ad9507

SHA512
65c9006d75f958eefaefccbbeca23711753f09eb0e7be96dd6a69d28c4c89ebbd18feac1b58118a1bf3f415427540e63eae8cb924b162337d5e669744e2ad7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e455.TMP

Filesize
1KB

MD5
0c7bf4831548a89571edf5d8411bd6ad

SHA1
1e8f296b3129e0091cb20702f856564318a8da36

SHA256
0c41346f846c0008837e01fc55779abe7ba3b65c69f0c081f0174f0266146bb4

SHA512
a0bc9a5f5eadf5be80b0936e84e84e0e8c0db3080848820f76f36fe49dc4dee733bc8b5fef4a3e5d0faf08fd13f5be8a61c7f41a98d2235f7fe7cfc0b8faf8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e93b584e-535b-4e98-ade1-cad941656b5e.tmp

Filesize
7KB

MD5
c23960873753ff5f5fdf218381238d82

SHA1
159fe1334bd3c49e3a99ab31e05e3a02d23b5d93

SHA256
c0325fbc1221c309d1d80a3672181cd53207e1f38b4f658eb9de57dc3f96fb4a

SHA512
ee3e5aa30970a74b8784e2e793d209f9ad2b82c94bd26c42ce30831efb4378b8008fa96c88ce992d508b61fae8e3bcabb079fa5ea75ec5a3f1466c80536e7ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eed622f127acfc3b271d4d47203c8699

SHA1
54d2596e804b83f0c11dcfe11638ba87d9c7e183

SHA256
60bcfbc8a8e17e3a3a2598115d9cab96125a3b89c1f73cb068ac7d4f7ea48122

SHA512
1962a06081c8109ba6a2e58708a46598c3257ef6f55ab0eba16571732eb89748227869a546c140ed45b5e232ff38a6203243d824d079a0c5dec7804df5078700

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit