hxxp://asf | Triage

Resubmissions

22/05/2024, 23:05

240522-22ykqsce26 1

22/05/2024, 23:02

22/05/2024, 22:56

22/05/2024, 22:53

22/05/2024, 22:49

22/05/2024, 22:46

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://asf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{6F612AA2-5646-4A40-9290-E3EFCA829586}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
3528	msedge.exe
3528	msedge.exe
4400	identity_helper.exe
4400	identity_helper.exe
5860	msedge.exe
5860	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4368	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 556	3528	msedge.exe	84
PID 3528 wrote to memory of 556	3528	msedge.exe	84
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 2544	3528	msedge.exe	85
PID 3528 wrote to memory of 4028	3528	msedge.exe	86
PID 3528 wrote to memory of 4028	3528	msedge.exe	86
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87
PID 3528 wrote to memory of 2300	3528	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://asf
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe48be46f8,0x7ffe48be4708,0x7ffe48be4718
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13753872667249838462,13509429714720512106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
40KB

MD5
9dc9673c5af1dcf765ad951ecba52c69

SHA1
9d5c1202e46a7d699bf85559b0a827bfc3a57751

SHA256
bd993164fb521b40693bef84eab25d964ddf89b16788458e661e453eb418da46

SHA512
bf515983dc980667844bb4a30b05400ef01df2047496335ca2770466bfe8a2170a4dd822fc56bb109b6235ace7e4ff52a75957d2d9a752c3bdd8b71265b698e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
991cdad1cf921ac5ce995a0ec9b6e312

SHA1
a3fef88dbfd32034daab4811e8446791d2481c6c

SHA256
a2590c2b03e01f0ef1181caa7c78800ede4255186ae37c1a28194698f8f19324

SHA512
807937d9f9bbf1fad83784ee802d40195edf45dcff47d11ceebdc83bd3151f773f1e36a8e8ffcaceaea707dbdf948ec0f4577f325739ad9d4f63fc6596a341ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
184KB

MD5
d4bc2b364ead34f20805d6f8236c5847

SHA1
b1b25ecf8c9887d9ac904852cebb4f026d8ab5d1

SHA256
fed0951ca3d44299e7d4961857cf6bc9255e259bd29ecbb1291e874b60597789

SHA512
83247e105f7536f8b197b7324bb54b3687ad77f65863727b06cee8c9d637322bf883ae3efe0c4fff8be5ca99a4aa5f2f643c1f7ed9d36ace79ab507df2432e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
29KB

MD5
d69c98c93cfc85e5db00ebfcb9b7a7da

SHA1
a22b5f6f8156de957d1d947a5cf966e488e2a4f4

SHA256
a3fc047b0b4496b6c2316773f45d6bc4a96a5e6e6d1c4dac8221774c3cba6c2c

SHA512
f415901679f421041d5f1e84e8021f12814b2d3566d4e42951d915c63af6ce98952ff97133e764e7d04d5c38629fd42c4ccf4c1e139c3ecb303d7f15deaf7731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
436KB

MD5
ec9be21bc3b4f3873e20036adf872845

SHA1
02a41f31ec05f03cea0293c418e65a0b6214218f

SHA256
376b986feb0aa3c578ef5ce4cee478124ab85116e9fa7f890bd36888b5a95a70

SHA512
8d84406aa2cf5bcf6700f204e88ef38b1a6341debacb1ae0c5d60269f49fd33d35e899c775d13d02b2669be43dbd153d4070c08bca46453903d371c995bc862d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
41KB

MD5
a5b47fde93f3dc2156e70ae1804e45be

SHA1
889450c78f0bd7c5e84189d1929a48742363168e

SHA256
374522d7b32f9569e818b56db3afceb793de35ba9f585a30e8b3b5f892a19b18

SHA512
4c43c0b7d379f2171bba060c08ded2c6aab1623a4cc78650eafcc7f2a572bdb78f439345a18df5729fbd14a7969c53f509a1d89fe534bd264915f98f20cac6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
126KB

MD5
4e8aefc88c7058579234de9da19d5d98

SHA1
6f3b08755a2cee2e8aba361f133fb3746ad62522

SHA256
95e42ad3d3fd482f5d2722130bc4ee60ef212a4864f97c2354b545683337c91d

SHA512
27185bacbd5e0b1098b96483f65b3f78361b111caa8c8a717f99c2769457f3d4cebed58ce1182c4cfc875fd7fd6dbafb462b9e1f36d65a1f0e1d4afb9c23b11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
354d609618ec61a097f9870be31f30cd

SHA1
238580c9705903b1c505960c40687fa19edefc1a

SHA256
dfb1a708ebb40d9927c8dc76901af0d706d79af56c0d200c0bb7010b64b36c26

SHA512
1b46d548b98da9675e556fbbb9c845698701c4bce957455db5ed281cfef294fd94229e2c0072ad53875abc034bfb081bcfd4fea9b1edfe1cc1d4712a901f7195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
05f95f2f796430963d8c29565dd39765

SHA1
992b2795d29b5fa58ecab40eaf17d8bc5eba059d

SHA256
d7e27d7db653514cdd92a1fba6de04539c0eb0955a7e1157569aeed34bfa6c23

SHA512
2a92919b97d1dd249a2a6342b695c21245d6531a25d75d29ae5e8866f2ae2d23f0da9d513b071c2811b664d936c191901d9f7a02e0d639cbad0f71c0491e92a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc6ac5d569eb6b508d321319267a8d75

SHA1
3669d6da15fdd5929e7a9ed04407b78099a7d886

SHA256
0c6f5d1091fec4479aa1eb35e6429d0c701966eed60deae3e552e0fc0ba6184b

SHA512
2358b9e5428623076b82ee38f52972431705edb23e939e85bb29bafefb91ee9348d1bad26feb048a079097a6d765a58a45d3d5720dbb47bba82a7434becb7e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a60169c9e1b95b777356e4015cb0c7c5

SHA1
68711789ea3367f52d3c6e86bab4d5e0732b5f37

SHA256
85d1f590cc5ea9bed87e960c902d3e0c6202645bed3fe012adc9406e62102e8a

SHA512
cf99ad462079ee15b206ed681c7480912ea74531387e43c35d986054765aa20d4af1ad964cc13d0044b4ee976aec86c2f059569794c739f9ad503d0adbe7a1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1077ef46c05ae426dc8bae2312733bcd

SHA1
dad83117c288c6e49d6d5f05ff3d010b66206f81

SHA256
01d07d7fbe140f1d71eda349bb2384e8d6d4fe06bf8d2b0d90d6f5303609380e

SHA512
ba1d9891bd1c5479cc3972e34c6e773ec07cc4da2c553c7ec81877e4f46973d55b9a0d1221a57eab5d03c75a8b83519332bf400b118d91c53c6b556f6606dc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00735cd25415dc0a9dd600fc08004643

SHA1
fe341692ca24694d83ad6142430f5580a4082c0a

SHA256
e9e3970a6d63ba43a235584dd9f0e82a99402d211fa1312bf2862c1befe79c8e

SHA512
60d2b5cb3674a63a5abad46443d5a12684df9e4d13f080c41a1fbda2324e608f75f58280f619002d50011d4e066c3ede361de49cca89e619b40701b9f4d7fbac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8c180ec24580200613a768191fe110a

SHA1
369bcd0e8d91db95315b6f28b9a9a9c756f0eed8

SHA256
f216673579fb23fd61fff209ea9cc9a9e06075a7fb9ea010edee98aad78b3a5b

SHA512
e747128b46776f11cf643aa304960d75427e31632f01cb2f927201618648ee16b5c42ef1bfa227ea5ed245a0f47ae21612f9fc8e1b8f062ab73e85c49064db1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf4b2a1c8e88dec0a95db1b228676952

SHA1
ff5fb9b22d0b822ea581c238b4a08482826908cc

SHA256
c296096190e1f3c9808177737410b6f49e6cfbbe5d2868308cce66935547c4f6

SHA512
a37167ee8363261ce8a7329f9a0b98367de3e39f281d0c2ce7dae14945e303c9d6614cba3b2a7cda37f894f41b67f05e8eca0cae4eaf46a3e4c95b02509ba4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9cdc88c24d78f16f9e163f53019bd43b

SHA1
bfae93feb2b711c43db0cc0a810f3b6c3e0554ed

SHA256
0943bce6ad20030c19b692f2b4e6fd2aa50a3c10c5f268d686b567d193af8cf9

SHA512
f4dd8f129ff635e392125fca7fd9ecb5eda95e493de5923f042b0daca1b196ea0edee413741a94028d6bd7b0255184786271bff50ccf23c62f5a9fcf4d12044b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
896f6960098fd9c5b326b966798f5ebd

SHA1
6e24b3fba4f80f93b05c019f37842ba6ab703ad2

SHA256
9bbedf1c24eb42583bdae302c6d32c4bd9e82d20a8cb16d77e6175ad2abe7554

SHA512
b52fff2003a7ce9f4d189383641ce8b4bdb6a51a00228148e8f596dbcf859cfcf8b6b1d877c0bfb154b126e121269fba4223117eb320b9c704f091250aee1572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ed51689049316a611d4ce88d6440000

SHA1
11a24e40b91e15aa2b2cd1dcb80c1e9b2d1e8b77

SHA256
9d9bc1e92e5031c8cd8ea02430e2eb5745aeb4c01bd883c04183941885d30974

SHA512
173f615740c741a57a562ad5e875969c3e90ef3f92adf92becfdd29dbe4cb538128f59f7d36923d26af4fb71b7fdd5ab1c95599386628e91fa52c4ba6ccee7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a57f0db8211f010d0020408470c34f85

SHA1
d037fcfa143745daf08bb889044a5f76cc5afe47

SHA256
460e8f39ffa9d4d673e7597cbfd994d816cb37bab0047dd27db36d94bdbfc72b

SHA512
a80143915a5a968a78204494e862974839a29d6d6b805c28fd4c11d401d3e35f070d543a3b14bbe6e09c1afcc278122294d75e0b85a5e3c8f21bef51a94b3935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6950290224fb62b68215bcf299af80b1

SHA1
9a015e38a19a2d6903a589da90a05f11af90d7a1

SHA256
8dce691147d26ce2b44d76df209182c915659cc9413dbc3f1b4ed886a9d5afd9

SHA512
d367743eb3dba066ad9146391743abea12bfdf5428f087183475f5d10a2569696c84d29a0948374de46554eeb53ac96e99de3a681e40864fcfc1d2bff365cee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
4a54924c2b93f48995c76f104d494ed9

SHA1
3d3d09bc7c93dab069737b91d7b248b8537c0386

SHA256
b5230de0d66c27bfb5c6531c070452ff1b43f9c6c5bf83952cf98f40170faec3

SHA512
22e456c64c9bff8e612270e26c2a3b380a4769d2f4f6307a7f8381f926651cc06fe4666f84d6107633a78ab89dc3471924519887114d1995f84f2b7861e74788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581a2a.TMP

Filesize
538B

MD5
3956190484aeda732ccc03216e81444e

SHA1
c5d04d657d9071223afde2ddb71821b484f20126

SHA256
5256273533b0b5b907d176056d16c9f5554058e592c914d65fc72577da0e6a5b

SHA512
fc4d0e91af4d1be397ac1b58df300b9b7c678b3adcf364728f2bbd962b2e3dfd1def8d234ffe59c67063caa9bd345c507eae2695db2d448db93d7b58c08bcd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d156faa1aeed25424af5e7cc8d75fbff

SHA1
f121330933e2cf0aa8e061de9f6a32344ddb3179

SHA256
22e3f687be4f55572ab67b1ae8f6c87efe6c0ebc405d81689fb434ac87ea131e

SHA512
a5338fa3a90e71c4ea3372f628d21c59a8b07746e60499e8b4fd5846da4e547f91af05cc536114e070cf917accfcb801251c33582cae2e9e410d4d19b420b5dd

Download Submit