hxxps://pastebin[.]com/m63j5p4E

Analysis

max time kernel
299s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/m63j5p4E

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
8 pastebin.com

flow	ioc
5	pastebin.com
8	pastebin.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3564	msedge.exe
3564	msedge.exe
4004	msedge.exe
4004	msedge.exe
5640	identity_helper.exe
5640	identity_helper.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4004 wrote to memory of 3792	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 3792	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 1108	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 3564	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 3564	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe
PID 4004 wrote to memory of 4472	4004	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/m63j5p4E
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd7cc46f8,0x7fffd7cc4708,0x7fffd7cc4718
2⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
2⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
2⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
2⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
2⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
2⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
2⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8068 /prefetch:1
2⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
2⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8856 /prefetch:1
2⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12735627568740072596,16335948300663378937,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8540 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
134KB

MD5
905260e93ad24e051ae273b355005be7

SHA1
ee3a57ba288fbca4e5b2d177f92e2f1be89021c1

SHA256
2f55472f20f03ab615997a78e6ce099a18021df507ff9dd268b4665dda720eb6

SHA512
8cc2b2d466993926d34359e326356ca8114b1e90344ec2e987aba13227caf603e0ac9959bb01adb9d28b0b8dd1c8faa5e68a8c7900bb7c2806484b936da42e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
Filesize
242KB

MD5
ec1d6f2a95ce63412ac2a26f98d2e278

SHA1
71dc591b9dda38379283a88a1d855ad3cb31ffde

SHA256
ceb2ff2b2503d161d3df7cba93731705a44582ef0a4ff0c0caab8a43176e14de

SHA512
56f7c53171f497afa4fce571945d6c59700f9d9fde77c1fbc7793b2afdaf0c7a82b24a28c80ea5fe8f27e103a813a06be9b23b71beb5e24af8ee255805b55704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
62KB

MD5
cfa020ca66c38d717fe9da70815165d8

SHA1
127b15a0d8d5dc35996f9892bdd34b9c118b146b

SHA256
d840f4248e17d6c34e790cfe150d81bf6d6db3fc0fa8d82c36029e63db0df303

SHA512
d77a02f6e92ae56f7c17426d507bd61493b4ad11b3d664aac5fd08b9d91b3b06813aca72ced00030731ca39d602e670501713657f3d6cda21dcd7fc9721726de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
31KB

MD5
c58b2cdc4b2aca6d0b2c5b3cab3f8bbd

SHA1
3d22bb3caa7a2f4e4c58f496671c87f038641dd7

SHA256
453190c377780c54c85af5ed4ead80ac2d1dc805c7e5bd5e0c2a836f938e214d

SHA512
09277e9da5da3c0230c037977762d6a60668279cacf98cc28d40b1376b4c26209dc03ebe8a402f5242351e23c4d054098ce25b3f97f8d78853a0c02ebd848418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
9b2e94bfe7964a51a09638f5cc65f40c

SHA1
a9131303e3cd169fb07a17dbf9ba583e31f46b20

SHA256
ded2898eb59b825c9ee183bc81929ff7018d11b1d048cfd5b5a7f92e61875bbb

SHA512
b2b3c837d63058e9dee7607dbf5ed2c4a4410cf0d6800acf455defadbf1578197142abd3bda1f5c7485697e9f5a0b90f2b75a5f43d8ccb1ddaf3c09deb6219cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7fa01ee01ca52db99ccd345f56bbb9ae

SHA1
f44437063a030eb95c5ecef5f43e0b439d8fd685

SHA256
d30349c87df7d0b17eaa8ee87f7d4739eb0518c28af55199bbd88c5f3676d879

SHA512
e16d80ef471ef22d45068c71f4075c53f1b06473fb8e1fb760af4104a05e2abc93a57bd0c4f5a05cb6756042d2b4f0d7643976c70e8ad690725ad76e07fde834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d138c750c209fd8bcba035f9f6b155a2

SHA1
498d93711d611912c80f56e6df260c9d7ada06e3

SHA256
0f2b26cee59f5e84696414a69e855cee4a79dc18cde00f64d674d39d7cf098d6

SHA512
f4825cdfdb30a9295d4f259b2cde67c73ff844b3cf37f7954ca868ae289261f9175a09a48fa4b4954f3862bc2b00359d6652d225edeced8478cff5777f69ade8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
789255bab94ceb2e9680e15352777aaa

SHA1
2e2c91e8f6abe5bd65e7e4f1acd55a4aad23875c

SHA256
983542cbe529691a6c3b218c07ee9b654148a2fa061a2b8bacbd5a418098a5d1

SHA512
de230a064529eb6e050325d04ba9068de71e50056ef227b7fedd95869482efa1c210763a064bde55ec971a32de19e2e3d02d95dedbf82b31f96208cca7bf28fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
7KB

MD5
aae56b84bd691c9adb66262819cdb162

SHA1
5b80f4a134ed00cf605f2c79c61f01b6ae33c523

SHA256
111226de01f3d926ef91b89aaaeaa4730935e3a73fed28ff578a8c39f83c3088

SHA512
261d2c4b5faebc8af1d34d10a22f050c920b752a744c23631efcb1c373c5d5ac71557bb16dbea5ad9d359af2e0bd3263ae97875892a6fafbc9bf5b876c747028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
8KB

MD5
c8a64f4754de6f4ab03170681df6e061

SHA1
1b37f39224a34230d85f2402bceb832be019b4d4

SHA256
55e664ce55dc76bb4178f00f8ca3c0181ef65120f1033d2584d9d4f0ee64daf4

SHA512
caf1b62f35f8d03d3e5077465d1647a191025a4dd59af6a3a1c51332197286d3dc7599f531dc11c9763e9bb1b0d149cd60456d7909bb7d46f68d50b4e4abd50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
2e78592ac4a61b4f834a75ec7f7b0565

SHA1
4e4276fac724129071e6e922cdeb4142f48e2378

SHA256
41afcd4d4c9a3760353f90a7c0fdc648e65174abfc956249bc4f08ef5abb3a9f

SHA512
0653a82d11ec133fd37f9538325efe2f67494ae87f484ff400f541c6d13372529e9ab56c56fc859b1b6138bd929c5e29b3880d1650ed3e300083962c56c750b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
26d420724a45568162544fda4ee6d22f

SHA1
8265323a561a01773bbd2e0241c275a82a79c922

SHA256
374ba01e01232262ca51584413607c7e7dcaba99dfd342abfa4446612d002c6e

SHA512
744bd3a82aa86e20d173ce94181c3cd84e2a893259abe99141ca5ee6e32cb993d5bae8389b2ca8df495bdc256634a5b5088ebb91f994941debc0468407a392f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c3a5d1359d87b1af39be573b3f13750e

SHA1
8be61b5fc877e220bb696e92a7aa77ac702a55ed

SHA256
427f4872c2883ac55d12eba826a1ed6729778a6c435e71ecd2427283a50a3916

SHA512
528eb511e08b845f172cbf2a5064a9e4eea3b0cb8ac635ec3ad6cd0745530a6350991bc8aa187cdc79581bf0002222603da21a94277c8a7ee380f4471f9f7c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
3bc8b44f12518061c73dbb2989747069

SHA1
adf81194193192ab949c11922a909f3ebc048ccf

SHA256
2704b872f7a1ae5368418dd372bbb71693bb853fba951791e5a58b840ee3339c

SHA512
88954b938718445482ec740b6cdf4ad83c46bdb9256c359d9d1dc9cf96a3d21c500760a55b945c67f005ddee43e25a395a2e5201d9ccbb240fb01a563abe50fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
eefcdb34b925e32184cabdb12e957e15

SHA1
0fcd3aa0d4006a939cc2a3db1dcc7a6c50a3ea0b

SHA256
c2657c76a390576f11948567f2567c3e34fd0b64bc02520391f0d59b8b37fce0

SHA512
97638fd8c67cda4b7ecd431f3855103e416abf9c349571ac145a9c912c40d39df16372fa4448714059d44802aa5e44b472beaf4406a2ef26237483508acba2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8ce74211d9b90996ca09b6fe4360948b

SHA1
c889cd2497b0b4533e570b60c50af8760d37785c

SHA256
f5cde22f62c318df3c6366bbee2be646487c5a391b5ea258b9aef75158b1cdd7

SHA512
2e2de9067910c04a9895dad4373ad62bb14937bd0bb3cf4909073503b4f464eb8ac085b976e0ac09aa14c700cf3761913891b83abcb1952abb7d808d59874b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
3f8729af3258942078f26c097d887eb9

SHA1
01f59c1a03c5055cfa7942aab23223c82c38c6fc

SHA256
b018f80eafd9c86e367b2493a350c7a97f6f8a74310f9450ae25c3847a8f3727

SHA512
1c8489a292109c5f9658e47a83485c9fddecc52f11a7168b095d57bae9d37528660065550ca48cceba5258ce229dd924dac3eaafc9c15b83794d32b9767d7512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec83.TMP
Filesize
2KB

MD5
4db1a5f42ea6209c125223ec2010f645

SHA1
37fd5b19413dcc58c61e82041aa7b611cbbd1552

SHA256
a6874645eb4dfe7863cd7e76864a3d620ddf28d93a85b66f849f15b017d779c9

SHA512
0663f88a9f02ddc77c286064626d5f63d0af6782d9502de64c2056072aff439a0a6d27b6ce4d1a01963008be6ca9f42b16b7e20ee172f3ade9114f794ff95f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
fd8ab76a3d8197b73cb383dca2d23dd8

SHA1
8d89573a5a4abbc36f3575d1666a58f0d9408d0a

SHA256
ebcd6992cba2bd4dce88487dbd715c32850eed42d4102f795d78cba9bb6321bb

SHA512
fd019909a2081efc1eb83927c3e805ad9f126d3651151dfc515345d857f3835eada80d8911c5a0afba7bc6baa8aaa9d042dd6d50acb6b38bfb46576f624e8cc6

Download Submit
\??\pipe\LOCAL\crashpad_4004_RQSDONFWNBTGNXHY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit