hxxp://45[.]67[.]230[.]198[:]8000/

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.67.230.198:8000/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
812	msedge.exe
812	msedge.exe
5104	msedge.exe
5104	msedge.exe
4900	identity_helper.exe
4900	identity_helper.exe
6120	msedge.exe
6120	msedge.exe
3820	msedge.exe
3820	msedge.exe
5372	msedge.exe
5372	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5136	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1680	5104	msedge.exe	83
PID 5104 wrote to memory of 1680	5104	msedge.exe	83
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 4356	5104	msedge.exe	86
PID 5104 wrote to memory of 812	5104	msedge.exe	87
PID 5104 wrote to memory of 812	5104	msedge.exe	87
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88
PID 5104 wrote to memory of 2976	5104	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://45.67.230.198:8000/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef7f46f8,0x7ffaef7f4708,0x7ffaef7f4718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17555214202056672307,3802011112387057639,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2d65a9ae-3787-451a-b6ec-711d631289c5.tmp

Filesize
12KB

MD5
a46ce8a05ca2989cd509e5cdb298e370

SHA1
3583a5335ebb9b734ebc0168e6c63e04e071833f

SHA256
7c6199e35729e089921aa82fce1fc78a580538a971022e75098efeecd8936448

SHA512
501a531b2834e55059f37570a7e62026ccfd2a1c05f213b5c6a7b37206850e5f2c4d12e08e07cbcd6d3b0e45e23986543603d11995c70cb2c779f2bd143dc9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3e4dea1d-4e5a-421c-b51f-3e771666c657.tmp

Filesize
6KB

MD5
ac116ed41817532c3a676b1327fd0255

SHA1
2658b38376664d4db81105643e316fed6cf1e984

SHA256
791407866f5afae304bb55e7e2c7868c48e6a198fee003615bb63e6ffa5e3519

SHA512
64d383f45a31c4d073ced8f4e786265f4fb1b281cb91728e50c4ecc2576ff00acc8e9c670388a69a619bf6450023601bebeabefe82a52f16fa8374d0b6781414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c7e6613c5aa107b7e800dbb55dedf715

SHA1
4ece3c39cab972c243ebc8b31bd983931d46bf80

SHA256
cdf722a82fcaea8f0a5e379df74c0a9a874383e96dec37f217e95cd7df100967

SHA512
b76c17cb757c393249ba91aab7c1f0b49e5cbf5482ffeee09b0c183d6f267aab22b1dfabad88598477b9f55ad1731481216f542bc30df6476a190236e7cf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
82eed7f6ef92c6ef0f8e81dbb28b7dfe

SHA1
053e648ac8b91789cfab64112250d3ee6023d7ce

SHA256
0e6641cb544fccbd802fdbdb5d7c9d0ffb4c7f73c6f89ef2f05738e4f10b9f3a

SHA512
0e479ac82709b089aa78f29b9622e51b71f3f1d6b220bf1ad7144722a4cc47e5d428830e47b7fed74d8907f7b39828886133b17d1ac530d9668340a14cf0d69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1b762d80edc74a16bd5d63c1519be19

SHA1
a8eac7868f78d5c0a90522f8739c18a774a74a79

SHA256
4d4dc044987d89d1acbfae57a0a733a68c2bc9695780670b7e0e8c4747844427

SHA512
1535efb458dfbe650a3f58e95f037d6840723a1c7c8d9cc804cea9fbccfdc85f7c71fc466a2e8d11e5f3b7df963dfde7709fcef275b30ed7e4bbf1f87ebfd000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff39adc6774ea548c34687c5b2b7993a

SHA1
a19734c9c0467f03336b8df6126af3ff7c9dc69e

SHA256
e5aa360498fae5377003472186680bccc2f2b35bb2e6c269cfb4abacb5afd16d

SHA512
68efa13763d3f8e038af6e4276d328fd86be83b4699aff64cd1da236b04942c27612492d353d5cfdbafdc9ea9af61d70a79f81fe67d6e2af9feee0ce703557fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b20b6c60651fd6de9360022fc2e8292f

SHA1
b67b6950eca8cf4e183608973f3b16fefb70f47a

SHA256
c273b34c6d3d9c4971cd243929296d4674d81b1ccbd7ae5582db152873f10937

SHA512
d64e24582d1fdcd123bb7821c8afb5e9c29338e09ba1297228cd714a35edfb688b9b4d6d07e668249e7eefb5445efe24c3e666c0144016c780dae599a42e21fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
378e5edca7caa1e41699978cb96a2518

SHA1
9a11711a94b299147e8ae5ad5ddb6971170c0fc1

SHA256
cbfff201441cde2344a60fc6738a1b70e7dc6a0e9e4f761a55f16a1843c9869c

SHA512
14a5dafe034883a9e78fedaa0d91698fd3a97c14fa82e16000ec963338235625399ff87f91700606c0614685bc3befa458f05f1696baba0b85210954fe6306c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a6515681fdec785914b0e09cc5df438

SHA1
06bda65b64b5c9a6b3343f4f3548b44db860b1f1

SHA256
78a47392d7c85a99317b37f79665ac2ad03b7625c6f20b70ac561b60b7aee7a3

SHA512
7c5274915466c562a9fdeb3e96798b477e8f6d4aa989f55fa0ea6d5fe688a574507ba293fe7e4324c976313b619c256353c881db6d2ad585f1ae1a5ec7d8344c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
78a16cb15318cbf0e41cd1a98b04c2c1

SHA1
ce4042f9c543238b955615785f72e994ba65d9a8

SHA256
d036a4184f861837b7d325658ea3cfbb2105efea9027de2f31d216a0f10107c5

SHA512
0d871250cc071dbaf53bffb563e69590171b7a430c8d0af86edbd2c0e62c92e81bf5f357d17e9379e520c87678e424d4caf68fff6352b72cdb86c97da37e3b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a0b0.TMP

Filesize
874B

MD5
4e444f2e6ded859a8fa9f9b42fed5daa

SHA1
70118b1502e0f922d655a977338fe21f879e0b69

SHA256
4158c421a934d73f5feddffcea5a9c707092f700036af2f29d0f68c484522351

SHA512
0b312d6318c82e59fbc70a63273ba7a4dc29258555f366b23aeea69193eafaed6055adffaa90f7bf94a98d638fccef1d446f44233469211c4f83b982b6c794e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
064a87e24729781f0866ab0920341fc1

SHA1
7b36b90f67aac449d2e2c63fb3e4ddf91abf8c59

SHA256
f79ad4f0bec7bb47b079ebe7fb680eb39ecc81d353d9bff1ab7150d22450fde7

SHA512
c2b8687b1e2da356a91840d4f5f419adb180678f7d420e16ad81ddbc45567ef5ba2eb3a26b6a06f79573c7e63f9575f610c388a5aab73dfcbeb109e1dc2e111c

Download Submit