hxxps://www[.]google[.]com/url?sa=t&source=web&rct=j&opi=89978449&url=hxxps://www[.]dangotoons[.]com/&ved=2ahUKEwjZh7_0kpeGAxUn0gIHHWcvAZAQFnoECAYQAQ&usg=AOvVaw2ldF67PkcFvJsRVkjAGNjH

Analysis

max time kernel
297s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.dangotoons.com/&ved=2ahUKEwjZh7_0kpeGAxUn0gIHHWcvAZAQFnoECAYQAQ&usg=AOvVaw2ldF67PkcFvJsRVkjAGNjH

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{D79A1616-9A7B-4100-B5D8-287D082D7822}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
4008	msedge.exe
4008	msedge.exe
2780	msedge.exe
2780	msedge.exe
1220	identity_helper.exe
1220	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
932	msedge.exe
3956	msedge.exe
3956	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exe

pid	process
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe
2780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2780 wrote to memory of 2752	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 2752	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4436	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4008	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 4008	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe
PID 2780 wrote to memory of 1416	2780	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.dangotoons.com/&ved=2ahUKEwjZh7_0kpeGAxUn0gIHHWcvAZAQFnoECAYQAQ&usg=AOvVaw2ldF67PkcFvJsRVkjAGNjH
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd41233cb8,0x7ffd41233cc8,0x7ffd41233cd8
2⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
2⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
2⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3512 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
2⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
2⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
2⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8064 /prefetch:1
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8244 /prefetch:1
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1
2⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1
2⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1
2⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,8532888963486113966,7391069024760584705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
1⤵
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1fd58ba1-ae57-4cdc-be62-b57d142a57f7.tmp
Filesize
6KB

MD5
f0fa8ed90fff0c5d49d520c7cb04d4aa

SHA1
d68e3090584332544861edaba1cd41aa98828cd6

SHA256
15a592368221867e44731a62d86b8e8f635c4d418d04d198ff8d3123ca30f9d6

SHA512
e2af90c83c95d0dc6e193fd420f14d347635a76b9ed8a3ade57311b0c3681d17949403e94f080dd2f60c80dcf03268a356a1efc05cbd6ad0c0caf536beccceff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
25KB

MD5
0990403b1d11de4917dc998ed0cf168c

SHA1
4f3811ca98c919888a571db32e1c0575c91069d7

SHA256
63faf734d19752e9b44b38dabb934beb540eaece32f9bcbe0812966e60de8e00

SHA512
3c752d63f7201273faabb2194a4e756da47d1c7b1454580affedb0538fc0cc0bfe2d290045f0d94911747cdee7fc35f91ce2466a6a4c2683049ffb47e5212d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
e5cc46222ff79c8b96a76fed7f600ab1

SHA1
dc5de488f54e9c19e8e34dc32df90f84c165bbf9

SHA256
118fcbf2569ee3a96fd4d98d6e2d63461cc73590d2aaf9e9243364e9d9bb96e8

SHA512
d3b69d026fdc3692922dabdb83be0e1161ff0039513995d9a1761f9f5f1babf2d3d260cd3e469118b2c10e386becdf233875a3d04dfb41fdc438ddd501c84af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
ebd88b7b3688a62f7a582e41db93edd3

SHA1
832d4ee32d7230552c660db39357440cdc3e6b99

SHA256
212af19658b56e56f5c129cf6fbbd9c942b9115c126240162e3a70b7f9a80527

SHA512
ea1e63ded984562e31081180f8d98a9b36127698ce12cca8b31251ff7e73e4a22a041734c3801c047baf9fd86924773f46b730fd9bdd6407faf9b1bf03033339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
8d17c12a2b0ecc6636bf33c26372faaf

SHA1
ef254f039cbd7386141e29eee5a12804ec7db312

SHA256
c66b9858d9ad9a20dea669c054d3e3c6d2c1bba39e9bfadf5e205eff24bae17d

SHA512
7f40b9e0a9b07bed55aeb80c838cfe8cb723c7bf33a6dd3a3f19dc6959c9ebdf677364542dfa7cb1853d140c48406bc764fa77752dcb70de790515070ca9de7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
52528f31080872165cdfb9a60997257b

SHA1
27a660414663c9dfb9b4b9e367e6b460953b8ebf

SHA256
6075cac5b9ad0e7c9349d630a9fef661c3c9af1dea1dab98c15f17a7224f06b4

SHA512
a5ea40088ec4b5cf3cb4c75da10a922c0dcaae6d38c99b56ebbc7319fb74f04c782e4186ea81a6e8e31c568aaf7e2f4a2d39b11cbd62fe377198c8b619a812e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\002\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
7KB

MD5
05af5f59ca8cc517155a5c432595e850

SHA1
520fe6478a492ae85d364fb370dcdf64fdaee2d2

SHA256
c3e77ac61704528e70dbd42c5f3c958f2f9695fd3f9111a91191d2168eabc3cb

SHA512
dbae40ad4de4c403938b7f70b860c9412d4ca49fcbbdf7d954a210623d12c1e2718cc14a194c266941e8515304162f8ee6d289d634225df5c80951de7b445f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
d11bd4c2b1d7f5641b128acc5da292d4

SHA1
1ac2c03a6c7ec384a89ca11f5ccdef25cb30f5c8

SHA256
1638c0ed10afea9820276cbd8f10e81c9a3b1c23b3cc5e904686d27190e57d7d

SHA512
3a16137846e9e007c8b552f96f948b4133c74c758682e102bf3b7d8e51ea5b11ebf2933b277ea5426def6438b7dff0f3681ba544c1fde576f9992b678a4e54ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6bc92cb00beb060d3f16cd50dd9adc9f

SHA1
9ed6860db26c8e2ae5c4a85aceeba1ecf7e384ed

SHA256
017d722b46cd150cb290f5166ba7b00318d84dc85486aec7f02d3942eacc79a9

SHA512
68bc04d9593c9451c91bced1c20e9addfc4d90660f9d7ea7453707e22fed443d62a442565da145245bac13f6f176e37e32f554da58ecdecde44f344cd214b3ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
2cd2d9669b6d2e784795bf5270f4f626

SHA1
f3eda4711fdadf7e5148d7c34b2808d2904df398

SHA256
a3fde64db569859791228e8a89b6b1f96b7c4d33abafa6ab8c1982b9825271a7

SHA512
e48fc17934fefd4373d0851a163e461658dbd3753dd3fc61ae34391bd2890c8973eb81b0cf14a65ed6d960df88c1a3c1a64831d38b8ae47e5ea3dc9e36b2ebdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
d05a4fd160800138b6664c0e9bb66ecb

SHA1
84dbf86d9fccb186661641968d11ff63dfed30c8

SHA256
aa87018bb7198a84d3b8b0b5ff3945d1734cec01ca274e6f419231c2d7992e19

SHA512
4680922005618f132f6a98e47811a3cfef93cba2f98996b673e3b03e905f03ba2e9e014f13367ad903c7843c73c49f8c1d88997b34f6d84607f4ed3a3dd7c12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
ac689713a58bc63d5098edc41e8f3bd0

SHA1
4bcec135a96e47aebdf3e923756839dcf321cc73

SHA256
e2453c5cfb0c131173b1f5a0022e69fc8891e2394a76d96075758e7e8e3675f8

SHA512
cedc71a4b23a36f2c68ce73ff365c90fcce091ea1eb3db62887254351aac423f2a78eb8e21b8307ffb0f6ba2dfe4642339d64238c12b8eace744c22196765cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
e41eb803febd04df7a13381e3483e106

SHA1
e1762e473af50b9ffae6568d0fd956480b556417

SHA256
99fd7b921da7af24496d7497c626700658e8b2a8d9c789dc3204c82114bf4da3

SHA512
bffb53efd1d4adcb4ea7b1070ca7a9277c42aa19a7bd98757af59a6b918d76c09a97b6db0874307805cdea76931dcaf8ee03f177777f44fa05a1c8dcc54235f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584e88.TMP
Filesize
693B

MD5
0bf0c45122e9bee13e9d472cc3dd49ac

SHA1
5545704c63c0d9dcd8faa7a7bc1080ed7e7fb6a4

SHA256
9ad766adc2a5a3a585f6a4d182a3c53352c8b9d1e81c003ce7c4eb7110c6f0fd

SHA512
438b3461d508cb9bac1aa179aef359451c5d944800108664df5f7d5e57028b5a05c4ce4c85579971a509c5a39a53c14f06a034c6f9301a8b8f71b83a759b631b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1b37058342f6700628ec124cef07f8f8

SHA1
71c998541789936ededf57cb95b29784250b2ad6

SHA256
b9872b97f169475cad2459953967f232b243d1ffb1582d3c4fb4659c6e0644a0

SHA512
4d00087ec27c33136b7d93ae1cd4f9379ebdcfd1fd53d9fc957450d87ced4159882c03accc35496c6219242be0a81e70910573817e8d221b1f99b5f3331ff47b

Download Submit
\??\pipe\LOCAL\crashpad_2780_NSQQLQZSRVNZSXQC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit