hxxp://4koy[.]com

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://4koy.com

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 321020.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
4048	msedge.exe
4048	msedge.exe
5104	identity_helper.exe
5104	identity_helper.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4164	4048	msedge.exe	82
PID 4048 wrote to memory of 4164	4048	msedge.exe	82
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 4240	4048	msedge.exe	83
PID 4048 wrote to memory of 5056	4048	msedge.exe	84
PID 4048 wrote to memory of 5056	4048	msedge.exe	84
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85
PID 4048 wrote to memory of 4232	4048	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4koy.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a18546f8,0x7ff9a1854708,0x7ff9a1854718
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4189152876079599661,6434023516155396539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de1d175f3af722d1feb1c205f4e92d1e

SHA1
019cf8527a9b94bd0b35418bf7be8348be5a1c39

SHA256
1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

SHA512
f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
06b496d28461d5c01fc81bc2be6a9978

SHA1
36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

SHA256
e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

SHA512
6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\482849a7-1938-4d0f-9659-f0dd7dcbec3f.tmp

Filesize
1KB

MD5
67bc65f2b78d5e494859b084c458767c

SHA1
75f5c838f14731eb5f84a9af363a6355b411d7c5

SHA256
b81917e2dfa8c1be2311e2585f29d377bd1686f7df2e473b83f4c540e0232159

SHA512
80784c13617c47b4bf02b44af1f12e5968eca27158b316f3a6e028725166b8f1af9e3c09ba8a11e222c8d4f019d53f2408758e0e3004eaf3b39f0419f190fd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2eb5130e413ba49aac9e26eeccb8979e

SHA1
9028d5d67ea84e8323b2df2a984dc0167287f833

SHA256
cdbb17efb45319f6f10f1a58c1138f29a5443912d7b08c2d54b6af96efcefc91

SHA512
eb4d6ff1bd2eb41542f95b5fac5a7c1a2699a8872e852822d4c79aa59811ddae92cc51c857654bf7fc423dc9488a425bd58f1ef98c328954209a851d94ac5552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b32c8a81c8efb35d21956ca4f63e9e2f

SHA1
3d496b08648756b1fc9345c9768d2232efd8397f

SHA256
94ba0c14d7a5090173711d768cef1a1ac16b7313218c5f07f5dd20d98e255c72

SHA512
8e2261b7e4c1ae72eb51477904c4cb7b705b97da1b783799dbc427e278e10cfee0fc6c92c51f7676cc0f1c13dcee6681401dc2ee2722f8ce823391112e135f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4fbc5a013a909045b47590891ca34ae5

SHA1
1940602b2d5d8a2988a39ad3e6d16ca50e0aec7f

SHA256
c8ac4bcc3586d6e8d847d6dffbd0d454ff788785a04db7aa8cfa9ae924a39d28

SHA512
59032dbe83ffe551d2c0a66d01d5e6e1d2c306368d8b688ca0e2184d216553697e27bc787f0a0f75732770a5c73986f599068459fe4cb6d288c53368c9162fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_4ko.pages.dev_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2f8d07ffafc3557c297bd7243033dc2e

SHA1
54aaa48106336405f7da9487fb10c9bdc0c60ba9

SHA256
15ed87b3882df09fda57f271fa434c4dba61293d59c0789cde89480dc4005f9d

SHA512
da385bdbfe42965bbf57263d61fbef7e40f15675772e497ccfcfaa58797e931bbfe5ab8256700d96903a72a216a017a8c9daaf4fdb3ac43310983473652d3a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a8b498eaf8e44df1eb6a11b36102f52f

SHA1
a88d7508971149018b5fcacaf96e1488eba407b8

SHA256
712e719035a457f1147239efcf3c0f1dbfe2c25fdefa460d4e127edf161b4bae

SHA512
1bf8675d846d8ac99f92639bdbaeb944c7c8e3b63159558bce64a02faf748180026add1b427a31de78eecefd3ff71ac44f22a3bb724420f18923d71ea80c2fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0283c1401ca50a2db6b2362173c6a7de

SHA1
5af0ac96cc44b1e1d07c1dd4cac873a8a12df30e

SHA256
8243dbe4cf590d97f1cab11310de6b6a2c48fc6d41399e1022e5472762bb24d6

SHA512
0c254468a9fd9f28f6a630ae7c553f40580cfc833d5b88e708c025bd17e2b40aa75f1ad392dc1799673a1b6b35a3d2a0c8e7c85451c207c1e5f34e5d91d5d3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b358946b96176e27257755806744bea1

SHA1
f232b605dc1d4587ca51996b868ea44c6d17227d

SHA256
95441742f7b9d5fc9cbfc42437e8d10ba17ffe2e3d70107ef985b17e04fe7e2b

SHA512
c354c8274fe5f160104d14fd45792b2a9af0aafcc6887dd7c86bc20f3f20de3c3075d0cb0080201b4bc5b136dec8d6d0ce0cb0b2e2fb5e19d9eadc4475b6ad29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
14aba84e634653ddfedadaf7cf1f2401

SHA1
38559f626470bb9e87de3528e56cd3e5997f063c

SHA256
fac899ebe130242b67e6c07db739ae1239ba1a76a916b36edb5430faaff192f2

SHA512
fba4be43075b5e87709aa4976977d3b2ed7ff88efedca633700947a0f466bf9317c03c0eb20c9118689639d500531dda612070ba2fdd4229b23a55ad9d847b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
606d038c5e42fe169feb67bf71d522cc

SHA1
e7be80a63050aa4102a6cb20510c7602ba104c3b

SHA256
7416acd4dc49712e2bf0e211d00a86b9185fbf4bb6d0a252e6056a00bedb80c8

SHA512
1f04e21608b6de58f87d091e41691fe4cf2ee067e5f2fe33e6779da7717c2da04b5ebb415bc56cadcb76ad6a0d0c020fd68b5d87fcbe7ca6c78fdf803d7341dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f009bc3cfae8e5e9c690c003f3f62249

SHA1
e2f48601176c662714f9ca382442c7fb89c38214

SHA256
45e845374a2dc2458eca98ab27e6eb65510a41e73335bcd96c28cb91c0c6d24e

SHA512
33b2f1231c7bc92f108574cbc46dc04b71936d31e7bea39e1e44127315d3e6a0d4d6e6838cef6d2f5b04b20d486467bec49565e0fc1a6812c3df47de6e5b025f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7ff6c984e44d6c05d2d983617a522ac4

SHA1
fa5687bcee90fcab2edf39036c08e20d45b875f2

SHA256
ebc1009f448c1b9651919fb18586dea309af679ffbd02b069c78f8083dca2d1d

SHA512
32bffd3746e9693cb29484c11ce7230b66b2a79c834ee136a59ca0a243a69f75ddf9151d15670c2db74cb34acbac6d98a62698cb7438c8602d96daa353545876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c246.TMP

Filesize
48B

MD5
2a8119f8521dd4fb6c4d34346c887efa

SHA1
171e4d10c3ce00ddc6dc669748ded961a699b02d

SHA256
410e3a6c15c1fb98a3dbfdd396e1e73540dbb775b559ae8d4dcf38365bbee4ea

SHA512
086ea66b47abec802dac52383dfb787ea1698749d02cd1426f729662f68a5ba373509553131dd539e23583f9a36e2edb1527ea97ccfe623c94ecee204fefbdd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b59a31957f0e42bca64db1ee3f5b9bd2

SHA1
9837b3761401eb8f757ee54c1f206e43be0e24f0

SHA256
fbe388b8a4975145155ce094b7e6599ce85352026a1ee367d5d56170ab8a3ff8

SHA512
e1722f2af0d5ee592b10f6b8ac6b8a009dd7ba823d6c58e878ee1fc863820927b3b345aa647b6e5643ebede42bfbd22f374efac0adb45035aeb8c3b950c941d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
49c9fdbc052c6f246a05883edbd8c0ce

SHA1
68f228de73da0830e1324dc7c7a9d8277518c612

SHA256
3a3c48c47c87f2e3c23dda5738c474c691950e9a6aba53d79a6cb6da3e3d046a

SHA512
47e0866b679a7d91d6d7095262e5a158271e993c85b29655a09c9a707e555cf26a85bf3361606e78cf95af39db2a3b0a9f8aa56ed3667d24a6b01037710a06e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f28e77e66f309cf45b688d217243777f

SHA1
64bf66fcde66054c6dca98160ebc86f89a833a00

SHA256
65c5fbd6748fdbe5c8571e8ae1a90f8da4c7b9440fa93b14011c199ea2fdf326

SHA512
9376616fd6f03a10a9136aa0200abdfda36ee956c9164d47cdd250e154efe0165f2c9c56096d65b89a565ec3b701071e7c875fccc22dce810457eab6942fb8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c05d.TMP

Filesize
371B

MD5
e08227092f373388f5e6ef749caab63a

SHA1
b208e7d86652c77ab87752048f24d72d42df6866

SHA256
5223299b2772b5150f65640541a7cb9cccf1639df43c5e930ff9a2be55a08478

SHA512
721a6ed8edcfb13c3ba81368ea8e356de8d96084755e4e862c260da610f03b19f389773337aeddad47b592a3fb3f2b8ab416ca9337fef50c14bdfe12d1e99fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44c6fc15423565e83bb58acadbd4d7ac

SHA1
5949ba7c105930e3a6a53a0720e2b8fa6adad3a5

SHA256
bb59d426178d3a0e4cfa22d7578ebb9bcd6cb8cf8a8d3619800d7b7c852999c8

SHA512
501819b7ed8f7475d20312e8f7833a9f0e6bb4b437f5b63505d8fed8c16a77851e8e914f4e82705eb9cf4de979aaac834abc26d1e88981352701b822efc45237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit