fe27903bf96a553d62ef5b11e29d37d1def703d6bd197d4bc3400881e7dc0721

Resubmissions

10/04/2024, 18:44

240410-xdlh2sgc92 8

10/04/2024, 18:41

240410-xbyetsbd3v 1

10/04/2024, 18:38

240410-w93xjabc5y 1

Analysis

max time kernel
134s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

98f2f00a13a961ecbac89496e55848a0
SHA1

b571d90566409ad7b37ec30fa8d7d930e0ceb430
SHA256

fe27903bf96a553d62ef5b11e29d37d1def703d6bd197d4bc3400881e7dc0721
SHA512

03baeb7110c6f4f348ce436f595659f18318db741cb1d4b6966e4aff3d06ad5ab2ca32dbb576b57620f40036f758a4ec9992886df5e58a13942093d970a0d659
SSDEEP

384:rI+CtgDpmReVoOs4dN9ylKeGM2U8Hhhbm1C7eS2LjFrSE3+dxVJCBXQL:rIPgBVoOs4dryI1McBhbKESFrSEuJQQL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{1292AAFD-A43C-4518-82E6-D73906E96983}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
468	msedge.exe
468	msedge.exe
864	identity_helper.exe
864	identity_helper.exe
1384	msedge.exe
1384	msedge.exe
4624	msedge.exe
4624	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1960	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4292	OpenWith.exe
4828	OpenWith.exe
3736	OpenWith.exe
2796	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 5104	468	msedge.exe	76
PID 468 wrote to memory of 5104	468	msedge.exe	76
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 1928	468	msedge.exe	77
PID 468 wrote to memory of 708	468	msedge.exe	78
PID 468 wrote to memory of 708	468	msedge.exe	78
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79
PID 468 wrote to memory of 4252	468	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa09473cb8,0x7ffa09473cc8,0x7ffa09473cd8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,5592218094111496183,15260450680558316888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6468 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
35KB

MD5
a053b626552864ee4e93f684617be84c

SHA1
977f090d070e793072bfb7dce69812dc41883d4e

SHA256
25b3ad881a0a88c6228e12688078638fe0b96210d0f0e20721e3c911a5b37dd4

SHA512
f7b444b1a1c465a4614cd1b9bd678875251f44e227abaaaf1fa6b35bb67bb25932b9b11cc8fabd19d2d5d6e80c6ad0b15149869e6e41f6345db3d49f08683e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
69KB

MD5
3d45c1dac333992c8f38ef2c309291ac

SHA1
e94c99df0999bf80e47ad0732a629ee89b35532d

SHA256
515c04c4bfdceeb1b8799e26efa765376166e22a826cefcc11a0a703f6876a0f

SHA512
68729df01791dfe621c8f0e0d27d34065a8799670d6e08391d64c0a183e04e647a3957902554bb60f4c364575c96267adc8fe75a521cc50f6d56b5b0c856b6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5f9689bed44cbaaa9f97421ddfbdceef

SHA1
70a83d2cf5bcd04857bdb8929f243a58c00dd378

SHA256
55210dcb0e92ae65980675e857a4823778e302d1c0202eb06fe6ba3aa95e1438

SHA512
427fb8f4822c7d94912c30a10831e4f5112621a05dee12ae8ff96ce3a10bdfbb17a3f78133e46b0e5477ce1728c18d535dc1fe325f42c435c9cdaf08a1544530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a6b4322c0371a1d045a4f0b617d964c0

SHA1
fdf881a75f9852d202b3ad3ecadb6ccf6125a6c6

SHA256
0e78dd2d873b4bd5808615b945967cd5573961017afc3c95035b3675f4478175

SHA512
42902f6fd8f94b2dd9dcab592a85355f576bff72472c00c3992c6b35bf227d0459a05f13316671fbf1e6fbd91fc372afee4a98872c9afad88ba313fa35d63984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
564B

MD5
1e7c85b0da61dcf3cadca3217d0b4f2b

SHA1
ff8c848bb23c759277e9b2c4d9312bdd599abf4c

SHA256
0570c0b8d82c063bc10af56d93704465c9b1267b83dad763a65e3dfdf776c8a7

SHA512
f824bee064b0de66992d65db84e82e2e963242f742677d4faac3953c1669214c70f07f2f8b181355ad0d0a55f97d0c958f78967048ed37c9b75ea35bec81f2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
87542d1a2e5215228397df9b5bb720b0

SHA1
6e5f3ebb577176ee900c833d61efbad6f2dc44c7

SHA256
a0d413ae83909db726764e2d3874a979cd33cc9266110b54671e55baff20b845

SHA512
99b59f40c9172f276124f1eef4de50c85931cf2f883db48a6da984b59f2e1b8fca530b79467c3c9fe5fbd3020b3915b7769993c29b0dc2ec996cbdabc844f988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08705739cc771917e257b00d237aae1c

SHA1
c197d8802c033b1f7ee603e63a2404fb21b23713

SHA256
8f9f93bcfd9d7b9ea6abd13fa0637c8790e4e91406c729fd17bd00418c4c6aa8

SHA512
8faf466f78bf3b5c825856f3ed5fd20512fc9a48c2debdf74d59572908a6e2d7060c39275ef590d58416534160e05a04efac67772acd22a538e47300b8fd383b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2888c3ee7a7b5871b9d5e49f9cb59679

SHA1
e4f872334c9941ee44cdd5c4012a9c53b7917035

SHA256
2da6cbae0d47915a33e521bd4080173d352d3876b2bbba72e06cc64d867334fe

SHA512
1fa2a83aee9fb62007f87ed6949db33ac38f13b2305aab237091c372d3388d025baa320452ad318586f807d22bb6afb09214c4c6845b4fc07e43458222eef267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6d5aedc58867e4b14b417fc340e71f0

SHA1
6208201aae410853c0d861a3018941165f0ffbb7

SHA256
3fb81861a04bae70b77c5a7c9e95cabeab8f52a33408048817bedf42e296776b

SHA512
bb51ec84185b0b20fec81f2f7d253e1687e296c96b2ec4f2be64c2001d45e4004e07b1a9490d07ae7f180a94b24591aac4edfb64f769586466b5a7344d898f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5c8c444e80012dd503ea59242377e36

SHA1
988c274b46528d3d0245543d868835d86432c68d

SHA256
2bf5ddbac0b5a267b30a4990a0e45029707394a128c572077cc01112e1439917

SHA512
b65de7df67b08fdad75f5eacd5f9f1733bce38981f9318db57e487da870530b44262e29585b51d8b1b4cdfc35f29e1c5710d935105678853d16041c558ec2e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fd5f3470b06be0bd8313bc66e407150

SHA1
d1faabd936765a6340a62ac7881499713ff4145e

SHA256
062f39ae1e85e1318413017782353180d2be3f2fbe90581959effd9c1fe6270d

SHA512
ede758c950a40669d4224e19772e09d26fa4667748b213c70f4a7e19cdbe53a728887fb4b9a8f08a2189033cde2e1ae5aa3129afaf9ae77c553c096627316ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c18e729b2e4c0d7fbdae4bb603344c1b

SHA1
44dbbb3129cf23d490a1892c514b47ea7f23cb58

SHA256
31b819fcf19478644ab4e99342fe2e61b506e2f8f903aca93affe366a81a866f

SHA512
46e753191ac5255adf32558af5872340c1f04c66be3c104f4cf7af4662cb28f4a54f8a4c9b955841a4e19657757f0d8ea73a40296be0774c8ba60d386452218e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
22186ae79025a8b2efc87dfce9a3756e

SHA1
5837a26bff8b093d9af7a9fda76ea76d05fef9bb

SHA256
f99173084e26cfa9259d8967cc2a2f2356d911bfdd97805a65ff5c1c33f6a371

SHA512
fbee82bbe497ebaf8c30071b00b2f367eebfd601c01a5ce1df330964f32870b3e5f49364cf8bab243df6805c163e7c204eb36084fe09cf0e9f8e323b0efc8d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d637.TMP

Filesize
538B

MD5
b17b6c703bdd3b84684d40ee29f40b2a

SHA1
c5c2284f8d6e0e2e8968ac3fb1b4c58fb4eefa3b

SHA256
69c0ec4f8d75d3e3a5d8374433d3f981080fba55e8fdb3929edaf8f1c9bc5174

SHA512
e3e9b50fb8069a68e95698bc8a69a6cdd6b793125cdf595c5700d468df7c0f56f5e24ecbf13526059b6dfc42fdaecdbe41b32fd77da9682069e79fc088748589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7eacc8aaee0ce675ec5fa2bf02942c5e

SHA1
83e70d085c99ca3bfab22ba2a6dd793ef9178e9e

SHA256
728d2a618cc823172845119fa8cf289bb0e95560757a82197a86d41ddbb4fba2

SHA512
57b273c654c3db5b1be2eb3f54dc17e523b4ebd3cf99b4818ca2729251fee945089386046c9fb2602b580c0c3b1e3decf1c3bfbbb02b42c42fcc36180c6c44a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b9178250-8369-4374-afb8-84de6e0f4715.tmp

Filesize
11KB

MD5
2cd307d4b98d51130a1ca7633435e189

SHA1
0ad760e9f311a7891cb5133cdb2b86b1407f2487

SHA256
a04d0cfe922cd5034a0417eaf655f016895d74d6caaaee7be68d4ec1432cb48b

SHA512
b0bacef7a772223917cd4e80a9b5c42dfd1fb04dfd57718a6764b2ee4e1b68633cf6d2bf5b8400a6a33bd5fba4af841afac29ec091ac3e6e7249bca88f83353c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
2cd36567a04bc4f1a43e1115e3154a71

SHA1
9bca852650ea27b6f8026f2979da4ab48ecfa40e

SHA256
93c7b72f88949dd5df4fbfc9bf9c8906d014f4f3c2d7c02603858feea0619d60

SHA512
c3aca9caeb98451716dd88902016fa2e3e51f8502cbab574d63f18a705c0e90e70931d27038411a11627233fd87fba2be8826982e316b0c2f413224f84f33435

Download Submit