hxxp://edpuzzle[.]hs[.]vc

Analysis

max time kernel
979s
max time network
1026s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2024, 13:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://edpuzzle.hs.vc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-834482027-582050234-2368284635-1000\{825981C7-B333-4283-9B78-5EA6E1835E75}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4600	msedge.exe
4600	msedge.exe
1532	msedge.exe
1532	msedge.exe
2364	identity_helper.exe
2364	identity_helper.exe
1084	msedge.exe
1084	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe
416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2368	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1936	4600	msedge.exe	79
PID 4600 wrote to memory of 1936	4600	msedge.exe	79
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 3224	4600	msedge.exe	80
PID 4600 wrote to memory of 4852	4600	msedge.exe	81
PID 4600 wrote to memory of 4852	4600	msedge.exe	81
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82
PID 4600 wrote to memory of 2716	4600	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://edpuzzle.hs.vc
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffac333cb8,0x7fffac333cc8,0x7fffac333cd8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,4870387410140000351,18443763690184621125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
4bf022846ccc541b5bcc25335cfa11a5

SHA1
ec95c99ddb6f03294d9cd2346822178760c84bbf

SHA256
7218244caca41fd5726983867eb81c636556c70fb8e463aa25d690a5b7539902

SHA512
63562a58b66a5104ae5a9b2842d4d405ac5aa3ff8ee58ebfbcbd074ef27292540fe4e6a700d7aabff2ae135922b7597403288ed4953a28aca5379d1631a3132d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
770f12029888d065a6bb2d50156a5249

SHA1
7796c9bf5bc0321ea6239e5f6d47e1d97383502b

SHA256
5991a7f6773000f642620e18c278fe07ff021fc40921dfb7468da2bbe307f034

SHA512
023df5b3f305868a5b9994a8e23e107e0a6a3cd734ca6d0317821aceb0e4ec5785443dfa17eb77662a4052044eb3e996fa265924ba960bd3e946115f448339f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
0be90750ccdb8c70fe58ba0576dbbd79

SHA1
3f9de7560bb4a124ee0db1b3291eb1138497ac4d

SHA256
9af682c213e4a6b134459bc96178c5c997739fad39caf9c354b6aa9b39581ded

SHA512
43f0edb0ee75b83fbe6716bcc4334ca3ce6260706fae1959485ba4303d8774f2b501cfd3942b785284807aa382f1796345a98fe22c5980856c8bb50707c03213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6ba9691c264b754b99728ac0c6648783

SHA1
52366fa5dda199b0f1155b1064363f2ea708af0d

SHA256
699fae79cc9b0d526cc5e524ebcf6573bde8d10e4b61514d2ab4417d7d023cb0

SHA512
fa3b41656718250bb674130f0ed2aa8d04e2c320ac76edc9f2ce93c03e6f6a31e7d78c03dbca8b37b29bbaf72954dba74c36d6bc20db8c20891078a0e332fb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e2aad756a9314e8200e7f53613e55ffa

SHA1
fced0ad0a593b5edee7da1d06649e80459f0d944

SHA256
70993f4396482463d15b835555062ed7c0524e75f558003a76c45b8eb4394e25

SHA512
872c1713f0ee09f4c151050720bd501bfafe2d8bbc7ef095d41f253d7d9e4bc896134c1e7cd52beed2e59946a7874d65811101de420290157decb94c648d9285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dde0afacd2855a6b499210c9f32adac0

SHA1
8f61f3e29fb985842e0687888f6079a87a5f7896

SHA256
8c7b53f5f95ed26197137cb534d3a2028cc6c0a7dceff9aea815a69d2e2ee17a

SHA512
ec18fb3779540b62d8c87d5b5d103d8141030c4002c94951abe71cb5ba259a62cb5a0138e0d1acac0e5dc635422298313702991a1f6ecd71048ec95d649db97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2e9589179daf0c75c4469865698bf5ed

SHA1
efe95a706c09327d01e5e0353133fba7b9f57ba2

SHA256
10facdc9282024e92ecc06245511d33d25822b223055b07cec1c492bfb196031

SHA512
334e7b913faeeff899eac3bb9df052460768872730d0f90fc85ac9b1cc03188ab7b51077e4c8b06c8e3555f193a45d0cfe8cf446b80d5aff345043d71419080a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4b96b1f6ba3a30bbcbbf29e77703c6ac

SHA1
8f1bb95ed2e7e2f64cda3de249ff02a43b2e7903

SHA256
179b0768b055eeaa49e2d52656063e323d78c28bd3c207e636ff44236b7d211c

SHA512
9a24243a4e0a1f31354fe018344f94696e045dd2c46122c7effaf2e96b503c7e650d5963300764efcc3a81d12117b8d6a2d01801a88c12235940b1dd92d8fe1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
eeb2d43f87365a017735039840e37fbd

SHA1
6cfb2d0f814b683d81e462c6e67b81c726444d48

SHA256
637f4b96d0967658a6bfee93acc9c10b212b1c404b852656014e40cd9bec09ab

SHA512
340db97e8ba2699199327843826cd446e68365416aac602826d7a83c94ea3519174f46c17bb12c50ff83a950efa5b1f0de2d21d17e5401e9d1eb72d3935dcd4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b02ed11c8b17998e8e70e1cbc19a9be1

SHA1
ac795fce0b6dae0b2248de01eb799446d94e4410

SHA256
0d637e16d4b9c8db76840ab8db256f5d07f6578dbd5a4400600addea74546aa5

SHA512
55b8670ed3f14572e2d04849b0ba2d67e1deb2b3756c50643a9b99ba374a71f8a108673d1de2486b4df3684f44a4aa768a7f9dd02a093c553df3593c3e59e95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
11ae770aab772e76b3d3535b3747fb3b

SHA1
a75028e64b42311fc1d48da8a2bfce9ea07fb340

SHA256
8ce2446fb9bbf40af64c904e24694f3992b25b8e3c4387f1e5b49c079fd83355

SHA512
6705744b20a069eddb7e594053da5db27e9ce60d75668aa311d8eaaba3bb08e8794572403d2a6a728db112b24c4c9c4ad0d8b4169dddd0b54912d2efd2d0e43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcc79f06c52596d27c36055edf5c22f9

SHA1
7619339b1cfe7f48dd9d407b47e0f8f8abe92fa3

SHA256
4d4b053c7fe0245a1dcc9b07833f23c82667d61a6698efb8b93d8394479abe9e

SHA512
5ed236f13f0c8ea8a9f295a025d90054bdb83cf0a889ed427676a49f4936d375feb909b3de5d7a85bea05e56d12919cb39d26befc6e0bbf31cb5b3380658a783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7958f3f1ec511a39715adbdc7629040d

SHA1
370f883bc70a61391d6fa7118bb117b62f63129f

SHA256
55e3890336e693e68b73b95a0c2045c0096a4dd799340d15875801c6f66065c1

SHA512
b3b93a49568306e947615d286269784101a70f254c66c9d9877d07f44f3bfc39c93ca32eeb20133b49e78463c6e1e36f59de380d331b43137fb0552b3152fbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\fc8cbe396f39ba32f4bffd3767e188604c4a5c88\index.txt

Filesize
75B

MD5
bd034e7ace31401b473744370d8bb1aa

SHA1
cddbed6c333645789f2e7b8087a6a3115581a1e3

SHA256
1880720fab749f8b3ba016ee037db7da5671d54df8b3cb03cf4c78f7d040cf9e

SHA512
7653a32eebfa34b5b88a305cc2aa78bbef96635d3fbdf0b625f97b5d2f7f73dd386c8417b490acc7f45312ec13f977eec6bdfd383e6e72a7aa358f4d268abcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\fc8cbe396f39ba32f4bffd3767e188604c4a5c88\index.txt

Filesize
68B

MD5
f5728c8b505ffb4429e386aa643128f3

SHA1
21765b41b6a8fd80365d8d3396a010a7e4d1f6b4

SHA256
7d2353e31b4e5d0b6d6e6dd46a3f86b6b42eed57da5522ea2895a012ed0b4beb

SHA512
764e17d37676f5f1d402568c803f20ac20f98e73ddf90647c587d187601edb70c22b09f46a9e40089392351888e5f444187990948f04b155c7cc5ae2eb653a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a95a3550d9b2a1f876dd141728b4dd9e

SHA1
d1fac8c5d5f2e49bee740d6145a788b4bc15ca0e

SHA256
03e9f1dfae4a5a2ada6822b03d12892f5f4c01bd9d77f1a3a85626947c5254fa

SHA512
ff94a2f6f1dedd0a5a332112a738148cd959d6e0c5a3dbcd0845c969ab1665164708e88f27433fa5902c103bfb330aad62c51a4643fc65aabca4b01a7df4c4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c6d5.TMP

Filesize
48B

MD5
9b229f23ea743dd9172dadfbbc4524f6

SHA1
9c72a39ae3f8639aedac41342cecb2485745d91a

SHA256
d8d37d3f0a231e7ddd250f8641a9b1db393280d2f5693a47f381cf3f5fd1ea42

SHA512
2b2b4573d083d31b75f69bae748e9ecbb0e667d638c681cf5b5e9fec60cb339a8488af8143bb9edfb4b2b52e9e3a6d55a37efa544cb15ddcd404eaf64643a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a1167d1a881f3aa08ba59be6b7892de

SHA1
5188c2870c6b522889bce51d53294b05c2a7b7b8

SHA256
9b287be4b484fdb9b852d4c19ba0930b5394e0b2b4761ed00cb1d3ed1803102a

SHA512
48bea38f58364f3f03eca7427a28f2c6ff2ea8d4fbf3c1082e3009d2764cfecabf221614f231ea68b30452adf25b2907b3afcebd1fef721798ab4c27f9cdc73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6f8f05bbee762a28e9bba563849b4df7

SHA1
dbbe3b684de307337e9ea6f0e26705bc46618169

SHA256
e7b966ccd7ba4e5ee2e89f89f7543ea727ffa3cdd056df69012ce93cf4485b97

SHA512
444dfb1f49b18258452d628581602f8923daee8344e4f27aa0d63f1e13d99d2af5550a19f71e0a83638a5ca38fc4687a78bfa69c19a42269a4a50925c79b480a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6908879392bd5871d7a0ce6953b8cd0

SHA1
bf1b68ff250719fff766d7a6d9033a26c380f191

SHA256
7bc877c4f7bad23f5539d9c7f6f29eb2d3cd9c97d7478f3a46caa406fb39cc0f

SHA512
2eb45a488506403150c3166bb667a127a4566797759546e1f8b854a23218414a3484e5dd4a71a5c391531c055e77235c7461cc310b9899af0248d6f99789453a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c4b7.TMP

Filesize
370B

MD5
deb503bf550086449546e8f25f2d676b

SHA1
b90b080d4cea65c68bc7dbf8315faa05d7dd099c

SHA256
f78d8ff233710efea32e5f34e660a512ee16d1c76ab5209dc5436c0523125df7

SHA512
74b2cbca11ee5343fdf86cc13198e8c7fab4b311df5770cea64d393213d4770cc91acd56ab41c1288031cdc7bef44451accc05ee6c32290fb3462b2385bf92e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18e16e7cb7cd7d243c2e0d127316d748

SHA1
d617eec7b118e2dad7935b165e0f6f2ce325d6ed

SHA256
63410e2a43a11f1ef52cd9bba104248846e21c69c5a0865d13bd48a7bf78f4ba

SHA512
34b881a431b974a7e3518992a61b9019dc9a490970e1ea2381c27a0286eba8b6f821b249da4e128be29992f399e7bdeca4738b5c7b4abefcb38769be4ec08757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a9d40c86c51226a5f7a80e399a8eaf8

SHA1
117ca551a430f2977654334beb3be894ed0cb10d

SHA256
494110c425d4acc184bdf376bd256a4e151c8f2eff49de49d05f0d8c9bdcc6b3

SHA512
f7cb0dfc8ebacbad0d4c720f6981a8b085fc098103657e51c6852c0beda7b531695f6fd4e927daab2ad47a4d0cfcb7a6fc112f7185ef35cb1d3e739ef714f0e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
fb46b2012da637bcc4f9103148235560

SHA1
14fbcd994edb121c110bfe30e753f4495d448d23

SHA256
8ca994794de491d37808d29ccd4bfd0c3da3a192e0bb64e7507b55aa935f9df5

SHA512
d5782101a5570d58ad3f0cf9f8e634657b8ffa55c7ca035c2cb730c98406d218bc73663ee042ead621bc164f2cc9db2ec988cf95a9f5d1eb59e6baa05a53f2cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
12d0ef879dcdc568c3608545c5ad54d7

SHA1
1c3a52201d84b3823180d14579a57e1a9a1ea420

SHA256
af030088756403bafafb5c0d75e81b7f7dd5792da04b65c300afeb492cbf5966

SHA512
d0925b3ce4564697b43fa140af5b03cef48bf63cbfd9d1d9a248aac326e43edb3e3387eeec402f5ed59f5a4734643df8e615b6f7d419157c2dfb08c14ab6feab

Download Submit