fe27903bf96a553d62ef5b11e29d37d1def703d6bd197d4bc3400881e7dc0721

Resubmissions

10/04/2024, 18:44

240410-xdlh2sgc92 8

10/04/2024, 18:41

240410-xbyetsbd3v 1

10/04/2024, 18:38

240410-w93xjabc5y 1

Analysis

max time kernel
163s
max time network
171s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

98f2f00a13a961ecbac89496e55848a0
SHA1

b571d90566409ad7b37ec30fa8d7d930e0ceb430
SHA256

fe27903bf96a553d62ef5b11e29d37d1def703d6bd197d4bc3400881e7dc0721
SHA512

03baeb7110c6f4f348ce436f595659f18318db741cb1d4b6966e4aff3d06ad5ab2ca32dbb576b57620f40036f758a4ec9992886df5e58a13942093d970a0d659
SSDEEP

384:rI+CtgDpmReVoOs4dN9ylKeGM2U8Hhhbm1C7eS2LjFrSE3+dxVJCBXQL:rIPgBVoOs4dryI1McBhbKESFrSEuJQQL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2567984660-2719943099-2683635618-1000\{37CECF99-7282-48A5-A565-6593AD54D216}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3952	msedge.exe
3952	msedge.exe
3948	msedge.exe
3948	msedge.exe
832	identity_helper.exe
832	identity_helper.exe
1556	msedge.exe
1556	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 1916	3948	msedge.exe	76
PID 3948 wrote to memory of 1916	3948	msedge.exe	76
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 532	3948	msedge.exe	77
PID 3948 wrote to memory of 3952	3948	msedge.exe	78
PID 3948 wrote to memory of 3952	3948	msedge.exe	78
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79
PID 3948 wrote to memory of 4428	3948	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a5f73cb8,0x7ff9a5f73cc8,0x7ff9a5f73cd8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6488 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,7920132460521600035,11908846256424425005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec7568123e3bee98a389e115698dffeb

SHA1
1542627dbcbaf7d93fcadb771191f18c2248238c

SHA256
5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75

SHA512
4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
35KB

MD5
a053b626552864ee4e93f684617be84c

SHA1
977f090d070e793072bfb7dce69812dc41883d4e

SHA256
25b3ad881a0a88c6228e12688078638fe0b96210d0f0e20721e3c911a5b37dd4

SHA512
f7b444b1a1c465a4614cd1b9bd678875251f44e227abaaaf1fa6b35bb67bb25932b9b11cc8fabd19d2d5d6e80c6ad0b15149869e6e41f6345db3d49f08683e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dad1c031bddb3df444441324e4a23013

SHA1
8d4545c3f786bf793da702aee86d36eecb7b4512

SHA256
3efac0f117b972b28d09b8d6aec53d8827fa0abf552eebf85698071c5a60cd5b

SHA512
5da1384fee030099d0ba2e9b293518c30828ba84e507135e9236fd1ee722824cb584899391d6d99664d210d8b8550e8506313fca9c54890361a356e6d6ba7293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
41dd44c0f7b609739d2a0f6410bc9167

SHA1
93ed62cf1d970e178ac8b8cf9d96bb182d4dd94b

SHA256
d8c0366befae6baae5ced6e18d7b054b5ff68851438cb6bbc5e7d23ef51c9500

SHA512
15892e2a081521e1f0a3f65a66daf4aea9115f2f1e99c6a0a7a528f2afe11b92681b4eda12c0d1f4d633d346c4ea861b84e6c1f8de6159b347fc79fe7f28214f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3f23b3dddd13a683de54dbe0c754ed33

SHA1
10f6194f3e14a26be9c549132a7676578a4cfe4a

SHA256
c1fd284813ec81b2f3ff9c65b6aafa13d860402b0134f8092ddb1bf9270beda3

SHA512
70b2d6b4f8fa07703f1c3f13c101f6a223c1c0c49ebc2ed0a0b677e52624f4e9f7667dd2b916a807a9f90e477733894bf9cce7079dc39233d52280906d2b2219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e3dde6707c569231e27a9c2a1ade9b8c

SHA1
8c6ecf3bec092f38615202e3bac7c19d178af856

SHA256
4675dff1faaaa94fff9c206621e0d1b648fe404b16bd780df581042ae95e4515

SHA512
ebda7465c17f5ccfd9079de7fee5e83e246c1476879beba6af47caab442a8bff2f5c55b286d571a923fef88893f3cbfeb2e35cc336c1b28e9430781b8c0c5774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
09a37d05c7a39846c1400807806fbce3

SHA1
0a9d4b9049247deb6856efb41d16a0ec3249b764

SHA256
3dfedfab84537eb9dee93ef17b1503364fd6b1215f12ecb4035ebfc2ada3a4b0

SHA512
ac7479a8f4e6565f4228f5132ed4f0ce1ea93772291aabd4840a7466d443a07ad16aed3769bf0af49ca11bcaa1f92bde56526e2476f87101d60c1a379a26a912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af07978cb1586da58e1aea76d001ecdf

SHA1
fc109c73a4aa9460c835b49b190613d84c03298c

SHA256
5a625e482e0fa86b933ad0589db19b9b92f5fe877fddebfa8058d0217e7981f0

SHA512
4b1c21256ccdf4a6c89e1778d6af71ff1471f3b633c0435d3539d38096a6188e4fb9fc4ba4a6de2e3dcb3d3d7fccc7df10b3c88f772708c6d43127ce4de28ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b597b7296564aa1481fe84eb983efe10

SHA1
6d911cf6e3ead389c25eb31159da891e4a230977

SHA256
d41b2be787b704203db02b809acd277c4aba340e5254b329d88e53d025e1dcef

SHA512
cdfbf0a57759cc028493baf522793f226eb86dcd434997cd615bca7869c1f6e71697d33bc96b5d471e0886c14211b944cc05b1c228c713513204012fd6153ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef54616aa3cf10c1811f0393ef29f620

SHA1
600ce4cbb4b3deb7d5a1b6f572d0db9ce528846a

SHA256
4b308ae56d79a49b0ce3662d14903f903b2b08629fe885c928e10aa4e3187834

SHA512
4417c43c5c74924fcced94dad84cdaf9e1605a4a4a8c7ee595bb712aed61c57925188b018959917111bd039a1d0e5f198c31773498da8e0266c5f13ed7c67a75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8df512d8c03ec47c002cc39589f3bf7b

SHA1
889f2c7081e44a0c997cbcd11171ce26df67a517

SHA256
158d3567a96735b09c2fbbb6ab1cf47f418539ea461b1ef499efba3937f3e4ef

SHA512
f8287ac22720be2dc8071ad55a275c0d59dfc11833f81ab259cb2c3a013052d28636c930e0e32c510609e369591f57c540ed6bdacde16ed2227d5fabbdcb5d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43776c1d0b5beb6cc1d626bd93957ee6

SHA1
30994266988222cf47f116343cfb8dde6a976826

SHA256
e75a8cf27c0c70f130957c9e118dd676cb62142fc5fbc371d8788ab5a064ca36

SHA512
d57d0162586407dbef9702648dde2cd52545c0109b7047976f2b7d16e36f01a446ec4c1f05a0f8cabeddfd13be42744111c15120d67f4dbe001fc793aef0915c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53ba6abde4de7f0582d60d90bab6c35a

SHA1
39c6e0feed40f0d7d0ca75df15c10cb537e0ea3d

SHA256
2eabddcf2531cea6bf3c8c5bf70d7eb8c20680ade631bd2e4ab599267233d3c7

SHA512
120c97aa697b9b5440c70de602f8b93b722ad7664b4f2c89f0ac2c794ee42722cb31f9ff1eb59fcab25d7e73c8ba98206f76ba15fa0c9230d1883f7beb3e8acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
0ba15f72ffb0a37243558588d3e78221

SHA1
814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0

SHA256
3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a

SHA512
02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
673904ebbfbe2c179a355f06043e421b

SHA1
b405b55277d29bfadbccba3cceb695c2e532a9e4

SHA256
2239e44dc11ae3e33d31f945aa918ae005cc999b1f7cf2d766d2b43abcd8c2a9

SHA512
b2fa6ae9d19338ca31093db408e0cc025bc65a7806f4c958c7863ebaa0ea4420fd7fe695a7e05a1f4918141587c684ea533a2f43c67e9d9f9b3af2af195826c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
57939a468ef039d82ae50b555f5f4378

SHA1
3122884b1e8b084695f17013601dded13133bc56

SHA256
31a4302c8ac1d46e36dcefb6af9d0db2631cb7af1292db52707be1a92c160c49

SHA512
33a229937ce916d8a8b117810679cac02b463e72bd66f9810a3ef3bc48e55b107fcc350e906591fb9a5f0affad6baa2948f2ad20182dc79e709522500843e710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
7d65f01ec876fe3aa71fdbf905edf603

SHA1
99c734f34913ed2736a140de0a5eed871bcff660

SHA256
2b1f9691290d2584a442f0ac0a0439997216cc55a0085ef8638a26d8f3c2c95d

SHA512
9b7f0b3d30edbd6c6dfe642aa62bc719b830984034b27d8f0681f0a1aebb82e273ab7e56351b1ce026a95488cb2d9a7a76ed143d00fa0852500f5b80b2beaee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5895b3.TMP

Filesize
201B

MD5
cd89637c9d1f608ef02234c8a0dda0e4

SHA1
e1a144d61b200c1ecd63eb8f461919a435e13e94

SHA256
bf8fe83b4a0102f83278739073ac11c460c6e1eba842be9ae6446c0619f61c39

SHA512
bd757c9fcac05ae538192b3390cff380325234a8f8a651a92382d08f66af61c0e6c8d2b1962964bd937e13fa956a535176a79ab95fbc61aad866c67d0860b93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d906f1f6c343e84bf1c55ad5ffd4429b

SHA1
89a21b28cdbe0bcab8d5cc5a7eda07d1e77a5a1c

SHA256
ea550816b01f8a15607fcff73f1fb677323d441964137b8b370c501080771dae

SHA512
4216b85d6673792b91d0444e049b258b23e2b19cef9a7eb71f114f795c3453aa105f53b251957c1c7d23f97b6cb3d019c2f9b6b9d73feb1da019cf3319472e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
84e0142bd7ea140ac63ce169b0a99d2b

SHA1
7ce66bd704f612364233fa6880359e4635a17f94

SHA256
c1a80f918c5fe894470fb4de7c1ec3c87fa017b921653bf3436de49a6af1acb7

SHA512
704728348b67181e4a50c38397390d0b08226471c141bdd4b498d870688d537ae4cab30a9ca674581da7ccf03e3d60c4320ea4f04aaba650f8b2f2fc62d3878d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
8d5bacc5c9a68099287496cc7098a391

SHA1
dce95db0c23fbf9cba897881da12e5561a34fd50

SHA256
0e0391824dd3d06bf870525f4409ab02c15df7a8c3e8957263106e9c296f32b1

SHA512
6c0f467b4fb4d8854237adb93cd621bfad3ea1727fece81fc6cbe241ed8239978022650d94253bff687dc9e637f688749b963c42aa15b405f15fe421b3eb3cbc

Download Submit