badf7be152d16ad7fc2e87e5834e3e9be4357dc2e9743866ecc8672f3b18576e

max time kernel
1126s
max time network
1128s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.js
Size

4KB
MD5

a0958eec5d861c11e857b83f1a6f7701
SHA1

fc9803b3dde18a1467af040266d5e02c5f798ada
SHA256

badf7be152d16ad7fc2e87e5834e3e9be4357dc2e9743866ecc8672f3b18576e
SHA512

55af1f39a75d8c41a3993c8afcbd52565eb6ffbd6997d8093000700d931e6dd647dbcb6bfaabda766ea64a9a37e6bf092df46cbb16ffe1e02291fd0624f12fa4
SSDEEP

48:Eyu9yvCnwdZd8ZaiSOxj8WmJrT0fMuyHD0KQxgeqYk93GkUs++5ZLUIZL5RKS7d:3uMCnwjpiFmJrTHD0KQ41U7IZLr7d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3062789476-783164490-2318012559-1000\{8318D3B9-2EB8-49E7-83A6-2F7242D0C4E0}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1612	msedge.exe
1612	msedge.exe
3944	identity_helper.exe
3944	identity_helper.exe
3512	msedge.exe
3512	msedge.exe
4632	msedge.exe
4632	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2632	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3900	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2468	1612	msedge.exe	80
PID 1612 wrote to memory of 2468	1612	msedge.exe	80
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 8	1612	msedge.exe	81
PID 1612 wrote to memory of 1488	1612	msedge.exe	82
PID 1612 wrote to memory of 1488	1612	msedge.exe	82
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83
PID 1612 wrote to memory of 2240	1612	msedge.exe	83

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\code.js
1⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde5d13cb8,0x7ffde5d13cc8,0x7ffde5d13cd8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4760445084939331565,3230386309951573458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:1508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x0000000000000480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7b2ba4d9-d2f0-4942-a041-d628ebb68ee0.tmp

Filesize
2KB

MD5
ab09d0f8119fd3f3a17ba5a188353155

SHA1
a418cb43bb4f7814e86694c15bc30833e9e985f5

SHA256
0d2d0de1039660e76148c7b9ef0ae1925d093f4a58deb394bdd4120ed09892e2

SHA512
ce0fdaddccd539d54cb61dc3a05da1a9f506f793380186dbbc36d79fe92f45b18b411abf2d6241e3b3580e29707f7704ed815ce1e5c3d81ca17dafbc813af363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
27KB

MD5
e2d11f135ad5c443e7faead218351e1a

SHA1
fa66451dfd1d31f2cae9fa6eca6e996887345bc7

SHA256
54090a2635e7d3489fd655ef09bf04bf323e5a568981afdc08ce91ad26bdad8e

SHA512
e41c736e168cf82aa4fc3d90aeff91c9314851b301995227e3f45982fde3e76230e3567d46dcbab6a77f8c1fdbd0b0858d9ac87dfed68bce0dd450b8ae19e4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
c8c6b280f4817672b4ffced8bcbfaebf

SHA1
de5d2dfa2c4302723310078558603ce28e81fb9b

SHA256
ded5efd43b2665370f1cc3a33ee0414ad9d95f7f0768af02acba391cad6ee509

SHA512
62a08cc3008f3851f179681fd4cdce1e8d42f9f19f976e5dceaa4fd5f9c0c829854ded18db4a907518c83dd7755ddf4c1e2faf35d23c19175f196555af66da6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d414af87b99fe6b3d6ac1b78b3c6453e

SHA1
f96613e5df1ae613e0b76ddfce8814bd7e6a3e8e

SHA256
cae19b8bfa2631512d9b8a17d8479aa9e2831a4fa04cbffe229ea3c1ac8a31d3

SHA512
c45d9ae7926487fec886a39aa8b52d38e1dd3fd175febd2803bd15d4b2feeaca0ac7fc78a094c8e851e0ea6fb45ca6dce951130aa924419f79cf46d1b1cdd28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
91d86b6d5ec46f72893e554f7bcdf453

SHA1
8a7000a8eda45a81ac4cf5a864df71531309f182

SHA256
579b344f04adbd9c889dd5a5babbbbcbc2f2a9cb42232c19ca88cd59b1d7ee76

SHA512
956d42977b6e08ba91b9cf5314640731b28fe14a8e3659736a9265d09f0c05b8072fb4e142209eb65f2971a2526d6d9c373cfa2327584c3a74fbf8808d89b8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d179f62cf03c0b110ca98277c36964dc

SHA1
d51561fa4dc73c5c3bb63289141789ac1c5f298c

SHA256
42457a595059215914ca3981449de9a9e25a9e26ad732246c0d9948224939b0c

SHA512
ae798df3a49b282b3f44f2b481d9a815ba4be8806b8b706589dfbf531bcfedf433a512933e88f3188c3bf388dd0229d73971264e5adbddd3433c5051223ad68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bf899289fe0f0a4abb28ef4472f01603

SHA1
29298c824cacb87533535ebcab9e1dad8f148c56

SHA256
85982f9b9ce06a29afbc36f9f6a7b5e6193954a55fb27129d6ff85c31c6fa058

SHA512
4b07990d6a5a05f0bec5bb5adba4d64e525f473512d7fd4face172e58eb4141343b13c274832a81630dbb74fb4b49216f9a4be604c0c7e79c348c583e71e77be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fde33d3055fe832c179912c8541ddfb6

SHA1
b87c4c248c3b952150ec0d2165c9e700018fefec

SHA256
b46535c0c705a241c565a7f6a0a3b310cff5ba874beebbc660914e56bcfe09dc

SHA512
d4ccef83825c50917f3526b299e270a3a8c978360102011e19300d70836b57b3f737a5a52f7f84cc811e1084ac2e1cb84cacc0ed94b0f1f2b416d13a75c90898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
551B

MD5
41dbfe1e4343e4377e024603931c3118

SHA1
a732b822e9a1378d7fe91fb3b8cd6b496a55c8d6

SHA256
6bb99cd506e921053076bfdd739b9e68364f9a941f8fd9d1546a0d523335be26

SHA512
cbad820fa0a5210aed64618aac4a6efb78b32c14209786c81b7692256afd35ee3d7b51ee9bf9f319037dec6b91e3d8cf2cfc9b6a6190cd2c745bd022ecd72d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f8ce42058f41aef18e5b9dead209279

SHA1
c4173e6f9a1f165c4bdfba3ab976574c757694f9

SHA256
63808e5aae19707575d586f1e13b6b07de9421e4da9715000de06b1052b81eaa

SHA512
52f9c3b3da7427010b54483bf648c1af75ccdcb5c1b38df83eec2e329d077fc7ff2196fa75eabf5282bb1c97b61bfdd4fca91b05fd2bfc4cdec6f010aeed76df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a1e6994fcd505d54452419c1452b11e

SHA1
5a84098f36731a6495640f448ec481ababdc0016

SHA256
e46cd3c0a597c9cbd52e2ac5b17086171a8fb79172c293e7933657c9cee7906c

SHA512
2772e5a6656e6ca3e776a2c0fe4e54c4dc96de24a02353d781347a92137492e7d08dc5c69f26e810c2413474861f8fa89429d97354d0c327b2a1223c1ef48fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f5be176d9723ae4e0b7431f8682bbdfe

SHA1
86677270581277b967aa90f9733005215bdb8e66

SHA256
518071759616e9e121e9fb19b8f2ac9355dcaceba7cd300da17f935d7b5ee28f

SHA512
ebbf912e9339ea06c734064835905fba34c4b63e615b2bbdb8ea4d84477882227304fa5210a62d25e3a79f1f0635b91dca950b24f2cc3eb255af872437153cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ca42b08f50841fe5ed36ae36c6a64d0b

SHA1
ce0e8256f863129f53d9fd46ac2d855678951b69

SHA256
8ebb6143832bd647b1d910d2d3b7478bf67913464486b8f5f32e06a0d908c804

SHA512
2438623753974c0eb8b213a74254c0d79050ecae99b9c1cbdca3d4aedb7e2ddf8442330d58e57abd4a33a0992d477a00f6e187a1131cd3df42d2da04ddf1edd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ba07f9c49c001a69782ef27df077b4a1

SHA1
9665fffd846053f4cd9918cb7e8d5d11d5bbe8af

SHA256
8cc344da8602a71d55909287cc479388c5ca016f800f5c487cbbfaeecfaf03cf

SHA512
c9e9588547e5255981c2fe94d6c262a26065f0397ae1c7708e27857092cc0f0095a55d3ec2fe2b7d70fbe2bb578ce5a0d9fbc43189dd7e45e1fa16c727071c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
acf935538b67ef5030447acab13b1ae8

SHA1
a10055ffbfd74e8ad522e095c67d7454b5e83aa7

SHA256
ab08be6b264addb1c9e3e1395e98ca33356f4f835b20a9f5bee6775a1c72dc0e

SHA512
04e25355138b259c09e36a96444712d65346f47f0df5a74f91d95364a1ff61c66b64fc00860af19a11d8ee1e0a62bc7388888087c0120eff8aa2a0e2b39b1ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
86f9c2b50c9562a61f45122e68ea67e9

SHA1
97cbe3e56a8be6e01a06f0ed80b04159ba3d406a

SHA256
142c4916936236463b72a1fe03be80685e9e575133aeec894f40a0c462e3194c

SHA512
c56b669ac8deb46fb6dae43b51f931bbc12b74dd4ce68837be0995b5376831c26d47ea914c509893e2e7d85b0099c82d9fe155abe43a6f7cc352c84d930baa1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9271ee6eb05bd7ff836c5a107d46db48

SHA1
571108d94de7e22213da2189efefc0ebdc2d2afa

SHA256
4d135b05a4d20cd862b0b150e0fb1cb5ddc58cd3ebe3650e90d50aaace3ce323

SHA512
b8bb742edad0dfe5fa85e376bb8f39f9720278c33109ef60be971c8f5c42ac6d002c7e5d9817dc745d93f91280e7a957d865803ea2ede7b01e819be62c7a98d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3a931826f51bc31ae3da443b47beb882

SHA1
7b470f9c98e7ee49e2d8e4fd3a3a711b037cf9b5

SHA256
7b79f5a386e1707f74a74ef2477428ae3ad85da900e7537247e43ba6185e2a23

SHA512
0a74a8a3b823612486ab2580c816bc779351b9faa602ee0ca07fdb27d3dc9aacbf7c394126d6608d48ffd0bfa12161d2982359fc624d25c9016014863bc60a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d5dd2.TMP

Filesize
48B

MD5
ec405b551464fe229da96f747c65bb99

SHA1
5393e73f876c8cda9647b352998f2edb8a232549

SHA256
46d3d1da33ee26e6ea8dca40f145b30ce431e9e8ae63dacf0c714645d3bb9774

SHA512
37b96dcd3dad0f2a510fb322a40334b4fcd40ab905edb7447ce24dab12492d4e06f71b258a87139084d86daefba74a2fcf9130d9635054a06b565c104479ae0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
15682cfb2e1e9dd7569548e87dc8331b

SHA1
e9062760126305cd166af9c1f81f372ebf66ecbb

SHA256
f893e3a418d250a8a2738cd819f9fe39c1812ebe3b0192381b85ed07a33d9e63

SHA512
139e5a9d3e7667dc59fcf9985f049d5ab72404aeea68a45df67b96ea1b302ca74eb82a7891811beae6aa42f9cbbeed4ba6639cc2d1d89574a04580e3499a86ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
13c43ef3d7f2f12294966c244d03f7ae

SHA1
875cedcb8ffd9b264438362fa7be8736b407a5ed

SHA256
15c51de7c4bc937e3a658a69cb1eb615f7dcb2c1faa231be4ef96031767dff36

SHA512
e053855cd54c08b2424d01a34d14f792eb8102422d69e575c41385a310a562d83505d6f136cb6a6bdc6ff22ab0600ea18ece45311abd3ae1498d71fa4ac1ec36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
47f85c70707ff269befbd8fae01991d2

SHA1
e75ef3cd011146df75f8c0ba70084bbe6789812b

SHA256
bbefacce057d03d0b90156d4732e3abdee806e94ae8778dff8432b2bb2dd0d64

SHA512
cf105af5b532c9cd5c9f82856d420c67ea767d0af4d76ff90df78465489f9e9cd1b1ef3df95be5e9ace7dafbc36e19afb2c07a476d8957e041546def543449ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bd353cf408785d6619cb8c611b4119fb

SHA1
8f73f432dd4c094f4d6910407c8dc241cf955b67

SHA256
5a86f47cca7e21712bdbb630e725bce078b87c1ed3449feb5377aa25c5c2e0f1

SHA512
350a407edb9f625655aaf6c8b69666c1c9ba2ef1514504564a1c1db8e29b0d0bf1cfd7dced3588c27284794832d4e63b45347c6c01efad92ca7457e18386d5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
43f529ec9a924d029fd1c9efcc8743e8

SHA1
ba863295beb0d48721a49f592b8ad4959ec38282

SHA256
c1a13cbb1df7501b8c1a9687e1b7669d115974c45e31a69fab02134cdae22dd9

SHA512
9f9bdbe1907cc479cdca29cb4a3e2f1fe6f8f7695432f5b4dcafa001e0883ebc8e169d213e90814c88525d445a5aeecd2c1ff19d1218a3eda7d572cd3c641eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8eaceb4f322bf098064251954c9bfbd8

SHA1
5ed5e929c51bb639e20a2499a87946278a1b0d89

SHA256
ff0d970f607568efff5b2f231977d3e60771c62b12e2e93bc40e5161f5ba3024

SHA512
76a8cd92f1a986caebbf8b796d4d7e045970803fd63382b537ed3ed6631b70249ba4d58ae763340fc634b2531fe57f55630ccd0cc03ba766add2570081e0a1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d35e8e69ddbd3ce38b025222b72560ed

SHA1
13b868d9672b33a235fdb707b80d6f4ed6c70917

SHA256
0164c1d34d938b460341e82d45c0761b626630027ecedba76ef99c665b6acc99

SHA512
f38a21d9abbf68563e1ebed2715d1e5bff40872a6c04c0bcfd88b8bc39d78a70141821fa7e59bf0c888e4321ccaa30747f316939349f71a858bcb781d6f41d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
62db69cddfc30878be8f4fac5ee432a0

SHA1
964a2df55999e0e2a00f789c7af661a586d8763d

SHA256
c68184d28c2e22022e4ca90bf6b4ce102fb169a73d5dea570905a82ac5e15777

SHA512
0774b7745fed19f2b24a0368e1de55db90f9da894e425d09cec7e30ca7eadf6f49bfd5e93409525ca162e9fbdb72b701b472b51fbe2697fc75f730c56d135531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0c4c67373b034440fa21599cabcdb43c

SHA1
1e08bd09ef56874f2deff093b0380e9050a22cc9

SHA256
b1ebf2fa9c13667680515b2ccc1ab960c2f34356b75c4db1c23c37a265dfc532

SHA512
99066368bbbb07127ada883977e20ec31a280ec5a929a00d459a0ba2f8912739a897c7fdf39ba7e329fe2044030af4993732382139e15b77e32fb50ca1814606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d31ff.TMP

Filesize
1KB

MD5
8a1c861630b845a634b5b1efa079b68f

SHA1
6a603902b1a561db110679cdbd45436a9e431a97

SHA256
f80b7e63816849a5b521a6a8fa7e33c79eb2b065247b3e043b7af210e90175fb

SHA512
f5907f8c34668fdc6d889aa0a482f9651e5d74b363261d49ed5f5927af489295bca31d0331821c2e94449f1a9da978a95ae7f77a7d5a1b56f702342afcdc58be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea8a9b845824a3b2739cd3f602a31290

SHA1
f091be4d19192cab0338919e6dbaa1d2c31898bc

SHA256
396c87ba86a532dd7d2315aedf6cee195c8e5899fe4ea12cfe2c3c90c13224d0

SHA512
47afad5cde9beb36616285e6fdaa49ad6a260d3ffc66601e0288d765bff76360f49853d24992423ad8aff049e2f8fa0440b2c04200fd6f3204ce6ae96f39f2e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2cb9e3f89741961748d38d15dfecc8fb

SHA1
11f89dfac73dfacb194fa01bf6e7fddb38c1f6d7

SHA256
e76dcf1390543fde2ae6fd8263e90df10923df9dfe78a5fb588a50654577fd13

SHA512
20557311d13320d2f7c8bfb99e49c8af30dbcbace0faaa5101f9ea893a017a55100bf2b3c466c9d9cfe4fa8a8affcef9223a870abbcf571492fa90abd0e748f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit