hxxps://abuse[.]ch

Resubmissions

22-05-2024 23:25

240522-3ejzhada6x 1

22-05-2024 23:22

240522-3cxsksda36 1

22-05-2024 23:19

240522-3a9z5ach52 1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://abuse.ch

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{D9D6E908-C4A4-469E-9D00-64C53F243314}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1992	msedge.exe
1992	msedge.exe
1572	msedge.exe
1572	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe
4848	msedge.exe
4848	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1816 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1816 AUDIODG.EXE

description	pid	process
Token: 33	1816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1816	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1572 wrote to memory of 5032	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 5032	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 2020	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 1992	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 1992	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 872	1572	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://abuse.ch
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8daf946f8,0x7ff8daf94708,0x7ff8daf94718
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
2⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
2⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
2⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6936 /prefetch:8
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
2⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
2⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5152 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
2⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5472 /prefetch:8
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6768 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,1457245336958025953,12817535040414466817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:64

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
93KB

MD5
3f444a91d2371dafafee8a19cea7897b

SHA1
7d09e2f60f94afae908e2c26f8abb7950ca119ff

SHA256
76f4a43b8e30ff4c622dcf9148d32213d9d6d73e938ac73aff6ef9afc4196e6e

SHA512
9b73319c7eb95abc02ac131481b95f6a08522f5c451cc166b29961ae61fc32a93f2bbc9ebbf72f698f26e9c54715591754b06ebef0a128cf6bba5b797324789b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
29KB

MD5
f47f8933ab7d9f035ad35e764d157ac3

SHA1
d192ea4945c0a8edf937e195e8f6d3c813ccd88e

SHA256
c498a7dfdd425e97e78a6656c437787e1a30681284e88c9425536b489b131090

SHA512
81ec28ed8f25a0ed13ec5608bd019ae257fdfef70a6cde7d25722f4efad57453c0f3146d53888933b717dd8d0de0342b22b2070cff664d67354405535a0e15f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
e2e147409f022a6dd63080063d9387d2

SHA1
4170dd7482ef0c015d33160e190d229a9b9e2dd9

SHA256
c558ae7c23edc64d008323ece3af84612fe8471b1d4de56771c15afb9578b65d

SHA512
491d3c4f4b566c00b90f96d520c2c400dbe45d649bc3c4ab96f5e0e184385f84e0ba3507e83cda8c8bcc32ada301b7a6ab8a0450a64403682a741b3d87a28814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9664d40203276768e5b0d82d5a1a6bb7

SHA1
42c040c128410ea230baf3a79df0bc180773e3c1

SHA256
ee77bdbfc3c50e2351d218b664d5423e2f2136fcdb9f8dc98db2f63ddc62b164

SHA512
0eb24b3750de53bec9b6bd2c95c2a0b23fd8fcf8cee36f1c78e225a53c7fc05d42caede29b80c764d42f06e8df3a9f007960e966c6967a86e95aa940550c74ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2625c6c5317db2fe3703b89b76cd6e53

SHA1
b023bf48688f686be74ff9fd46fa5051652d0eaf

SHA256
94d0d2190cc4c515ab0cc13dc8cb8e3e636e346bd708f5c1ede0d68f2becea80

SHA512
b875063d772f1515321a06859b5dcb68910e256f9bfc84c047ddc1da823e8715716d9fd0cfff811517521d862aab9a7a425499629625318c3a5215bfed587474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
01b3868c1263574995b5ee8bbe48e4e6

SHA1
7029c00c5adf6ebcfdb1c6c68766f4392ad7bfa9

SHA256
23e66cfa5cebed1fb1d7ce7cb7f48f2042187186ad72f63ea4bd2c7934e8bc7e

SHA512
8fdc49fb198705e2057b3fc8edda5680686686fdd750ce2d03cb2a008705c05dc29050f89685dc64091f518d29b2fddf2ab3d6abfe72d5ce3a76442496ed2389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b961ae09e8dce6e76e14f6f99e601410

SHA1
19d284364c19b0b869006cdb003b44998f2f52cc

SHA256
312e76c321ebd96946fa22c68945f663baeb83aec2ea73bd346eee32d070ec85

SHA512
6800c5dc3a58b651957a7337e7d60be324136982f7b2a5012b665a93b8167f78805f8fa406b47b1afaf4159555b5586441936276f6ddd9b151a598e0d7a3aa31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c55a68b10b8c6850d75494c4d565a24b

SHA1
68be4b2d7cce0278583705e250c34b607b4938b2

SHA256
59ec26dca9e54408a95e7ba0ff17fc7dcead56bd991745126a477f2df2606a95

SHA512
fe5f030a17cdfc5980aff569c71bea688f0745401b801137968bf789ec226f1276842a2debb4feca84a3b1ddf4471ab0459b9383ce4866bbfbe1c52a43e00c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c0f70cbbe514b13b0bc607f00744cbe

SHA1
ff914fe0eca20f2d7ae80c8b6d2e24cd6d7b6a22

SHA256
9a02d3c385e9e7615caf56754a2c92cbf4d992e68f1fc846b72b0558469d275d

SHA512
8cac7c9fda58cd136528f80f62006da8ea13fb98d9181d90153fa065798000cef963ea34ddc97d30fab3c1ffce209facabb26fdcf8a187c30add4291226491db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
807e55361746b907ef10a6f9761b231f

SHA1
cb4c1e52f682920ae1bad33d182577fb4825be7a

SHA256
cb0bd3dcbb78b337ec859f18645bd342a8cf48396af1379834ba851926806f72

SHA512
59e62ef565e9359f370b69a00e3de6270488595fc80e199c83a1276731f3d56d43941a58cebb61dbb7e995d5836ffa12c63701786f2dc8848e0a159fd47edabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a8a9a1ad365eea1eb8728b8a8abad04

SHA1
9079fc2ab9ec7a8cadd25386349fd7fbb48f56c4

SHA256
b3f40bff2e9550f304a3f29db1a1d95a3e2b2070584ca5c8ee71e2b072f99f96

SHA512
bbb972594a87357fbff1d21da15b5e8ed1d1bdcac7c775f4e7bb0176885f4b8f1f65b4894702ff7a0edae069975a6fffcc9c55ffc295f610b065eb93422a9e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ed4af4c7a6ef4bc5533951a3d4445528

SHA1
dca51ae4a09ee176efc0da64ac873a5420c35653

SHA256
863b456909a038076f9923a268ed6dc9f828425881b6bd8befb93b442016b5c4

SHA512
8d75134ca30fe651c9f36d0fbe71d279defcb24a638ead7c16b9a49218ee59e28a34fc965f45afe231711c2213ea07c4b7280b95d18d5bb3ab314f094fed686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86be5e5161700b267dae804be2c6674d

SHA1
97e8b8e8f1f43954e3e9ce0bec97a5c8dd1687a5

SHA256
720f1c0f1d2883319077e9bdce4c17a403297528d32e8002496d9b0d86a0bd78

SHA512
56931a4d2d0d182cc0a32bee01a3ab754f03312df5ba62d1a78c4f5e52efe51c1513213b7e66f2ded54b1f4cda6853a02ba4b7d889617900c3aa7e4d4546bb02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
c30c8cc4e72350a1ecdb6c829cd21376

SHA1
e2d325638a86a37cf5c89dd4d7546a8f64dbc24b

SHA256
57a8891c78d4b228446b74cc7b8567f47fc583c767a1c659f9e4eba950249499

SHA512
13f3e218e78fc3fdd95c07301f6a44e66ea6f7cfe95f1f936057dd2041c0fdb2b4018a4d20c57edc7d71ade23c09d0f85eeb01a42f0fdb39cf8361f515866b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
a91c9b979ff324f429a39b1dad3c6dad

SHA1
4f11cf991c266e2b51d6fad79df9f50bf29dc11b

SHA256
bba7b0b33a8a0093bc5bc72431b411958186564bd7764acfdda9fe6f7ea428d6

SHA512
1b5c7d4658aaccbe480408b9410ae25095017d75b3337a404fe6affffc1440d896ab647faf6ce2531f9edb51b7fdc8fe652990dd607225418a2f953b0be74042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
5411b2ed5d9a26c5df20a40d10bd97eb

SHA1
1cfff1d96fce7de70e194ed0e46292511ddfc5e3

SHA256
c5e7f068974bb1208d20474caad55c2d3be45a650396bfcee39ec2201b336b25

SHA512
8429ca2728846c4b2e286a1277a2c2176c91e205035b2e382798b272b9614c619a7dbc9b055e162dc699c5ab1296b9060ce944dec4d1977290bc9527609aff57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
31847cf73db7eb774ca1824189e82e34

SHA1
93a1ea259aab6116be47e80bfecf41bcbe8057f1

SHA256
4ae7b7ae008e1fea82e82f0e30df4bae2a4228b07dafcfd33a2bed9df0055331

SHA512
8fd72942e338c84aea9198b638578ed724c2e1ca59488826343da89dcb8b9320463fb2bc1b4fe37e55b78227e9d7eea6346c1cb0cba74654f557668179bcbcc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e8edd134ab0194436389de9e331dd605

SHA1
7ab157fa8d721718ffaf6bfc77b5224964df45af

SHA256
58e4314feb9bba318fefec4a01bb364df6febd444971759de2d040dce403f244

SHA512
28c8b5ed1bf60672c474b614371601fd97605aecd21b7ded054d4be6abc4222d0b1d65bf7eeae68d7ac40e29f700308e6a5603ad858577e24f1e67894a852246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b371.TMP

Filesize
538B

MD5
49d64af358ef4407c446fca1624c714e

SHA1
e85dd110379b058645f3e03d40d0f50bc1799b6a

SHA256
0a68797f63946cb9b5edd4c24e4de894526f140770b801c4b34659f620130415

SHA512
1f747ed33be6619722ea8a772a8f50d44de96d2674609685fa0b3c03221fc21167c71fe6205f659e2ab14882619dece977064bce02f82d3e4e4ec324c8cf5a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bd417959-385c-4902-9729-653135b1d190.tmp

Filesize
7KB

MD5
8bb95dabaac881cfdb2e246fb1720529

SHA1
014f18e5f0943ecde84a644362b7e43f7c1d9f32

SHA256
6fec0c0dc9e122bf34b36c243a2892e4b6737a8f6ead631026e7b9005beaf23b

SHA512
928a876c4950b09251eee99f6707a1d2a853db32c8dcb71479b9599dd40c6e196438f021390f704f625ed72da8de4d7855929df014f29307ac03d718fd0e87bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b0263bf63ab170c5e62fadaf3e0de343

SHA1
90a8efa4eb83adb8bf153a7e95b84d98a38f076d

SHA256
8d54e9cafb0068a39176caa7bfd9361d7d7788867184a3165c28411a98d3c41d

SHA512
3deba18fef9531855fe804a1f4b15427199894fc0320a08b549299981a1c3923f6d3e9e110a48055bf50b9dbf44ce79d28815721db6ebca17e2996b49113894b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd15bb10a88a1353eb82f5501dfb76a2

SHA1
0fb97277de32f4ec8e060343ce7a774c021f6477

SHA256
7b9c615883fa99f35189a442171e49adb5abc6913abd3be690a7ecad351eba8b

SHA512
3f6b2a7992614e5a59f1f877db90e6ea1937daa21b4b7db99a0850614be086c52b34a7d9f228a64d4a9d444adf03eb6c517a31dfdbc9feef138de84e0e6968b4

Download Submit
C:\Users\Admin\Downloads\edc95b55201af0019567991377c9ed0e281a948edb2f316cbc80195d5bfa669b.zip

Filesize
628KB

MD5
d1c92738d8ac9c7b89c1008d3633890a

SHA1
00af63a09522ec2f663a7f36e89880f8ddd2ce69

SHA256
a7283204703070c074782258a2d9bacc7de19161857661a24b412700be14a4dd

SHA512
ddc6eef9ff9add06ef0fc4027e81bd7f0442f8dc663e47f47b1dd4685c7930bb5abf38f6f43ae39952f64eb04a1502d38f081d83a7438eb08b721f012076667e

Download Submit
\??\pipe\LOCAL\crashpad_1572_YJUELDEBVWALVZSE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit