e918a7a8f1e6b2394a781c46e15a510cb81376afabfce72b6d0b2fb1cb300047

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/Monaco/package/dev/vs/basic-languages/bat/bat.js
Size

4KB
MD5

c0ea60d00820705cac4d2857da94e7f8
SHA1

b84fdfc23fb97f37e9134089aac916392a943635
SHA256

794ce7c333161e68fff0c6a4a1bc7cdc678073147dc48e1a49aa5313483fc4ab
SHA512

b5e2330432aba944abec1dd0450169d8c1060e42b52efb2c4aaab5750d1d7ed691d6524cd9c3249dd14de8bdc039acc08c3e969b06784c9f3236b72cfa79b24f
SSDEEP

96:HDGk28EmF+z+lDHm3vPP3jq8tHEDwrORJC3MB/mMw:rZEm3DG3rBGZW

Score

6^/10

execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
74	discord.com
75	discord.com
168	discord.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{B2DBBC79-8468-42B6-86F8-8172DF4AF2CF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4380	msedge.exe
4380	msedge.exe
3208	msedge.exe
3208	msedge.exe
5012	identity_helper.exe
5012	identity_helper.exe
5564	msedge.exe
5564	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 4712	3208	msedge.exe	101
PID 3208 wrote to memory of 4712	3208	msedge.exe	101
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 3836	3208	msedge.exe	102
PID 3208 wrote to memory of 4380	3208	msedge.exe	103
PID 3208 wrote to memory of 4380	3208	msedge.exe	103
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104
PID 3208 wrote to memory of 1684	3208	msedge.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\bin\Monaco\package\dev\vs\basic-languages\bat\bat.js
1⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SaveRepair.shtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb586446f8,0x7ffb58644708,0x7ffb58644718
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,6855112899621531304,6523113181537166683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6580 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
31KB

MD5
0b132f8117d23307620446dcabaac844

SHA1
2b8effc6ec228f6c119985dfa4ec656a5f145e92

SHA256
dd0b85dfa2859f3ad25e5c26f499c38f3586fdaa476e4c447f7b79d75e04674b

SHA512
dea089938fcc8d382832ec4c946bc368d0689038556df75131b281df9aced6d979439f8122b9e2db5733405f9f887328a76cce5cdc08d9e1500a5d4587718289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
156KB

MD5
3b0d96ed8113994f3d139088726cfecd

SHA1
1311abcea5f1922c31ea021c4b681b94aee18b23

SHA256
313818d6b177a70fbe715a5142d6221ac1a1851eff5a9f6df505670ddcd73074

SHA512
3d78c250029069e1850b1e302a6d8a5154f6e7bc5cd58f449b8824ccf418e80dba2d5569a9cff72f51ccc9de140dc91148f93ec4717f4a880e2ba94898fbdb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
38769ac76530dde030c77142f64ccd5a

SHA1
d0fcfd8fd088723e61841b81de67ea24053c4959

SHA256
47716cf90d9d4ca67c636adc1b8c33e66ecdc316387a4b71dc8d63f3186e8b4a

SHA512
a1c62f27f938cf455e8d149a93b87b4e8f83da03e1a6e7938f95dba4e0071c26d1bbb2a5e83d97f4987c7f257d52b0cedbe8c1d68f2c5dc4c91ff8ef1b0b058d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d1b82f92e9619c058881fe3c2f72a597

SHA1
3d85beebfd73c6518de5abf77cc1a848d87552c2

SHA256
4753532ddf28e0fee9100b1b0f561fd923fae5a9777a7336854a3049ccb3a03c

SHA512
fb62fd5ac4f8ccaea918dbb77c926528602d1647b57072b2617e771d8555bda43c50635e819c520a4c3d12849fafb9cbd427c438ff4dda6249e64ce08b2dd59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
56eb645623fba59cdee57d90d82e5f46

SHA1
80b72f2e6983382799545a0671cb23af9c9c3d7d

SHA256
6e210ddb08c05c8a2c8461e64ab793fcec81871f8d6726b80ab9312859aeca68

SHA512
338feb879c48a29ea13a8b7e4123c677bd27d67dfd3fea277c0f1b7d655be5ae19a238d6c8b647791c9272e5b3bb81d8f98a13a4c79b90cdd89c8a2c6fa199e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5fcb1e67956b18b4c6ef80ef4eb50f11

SHA1
aab129c2b031a5299ac64b9d67c72c2d9ba5b42b

SHA256
c87b8ffaf10e0609e60ba3c51b00d9e2d46470310b864bd3bbcbcf00a67af73d

SHA512
af68a4af3a6cf83921a968291eb384ce1a5d78e8fc1ae0b2d55e75ecb808aedf98de07c09da1b4ef1811409ddfae18c56a4d2a20f4c86e2c3bc93bef72092d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21a9c51cf15f03e828a4922bd01334d2

SHA1
82eaece3bfc20c0a8caa3edeb113fa1aebeb6482

SHA256
04d4476e909fe6606c02038aaa3b0c4b3c83fa03d3e02b9129f6e8baa0a171c3

SHA512
6d67330aa6da709b8d9d682e8a58c930497611fda8880d24d20d22d019cf79eb4900fdbf8e11f9359e898d339f3237296a85eec5eb51b32c884e9a43b54af961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8ffcd54a261cad1b472c0f1a9dd0303

SHA1
b312202f37cee234e6d1b9091313d54171846462

SHA256
0e68ff6a4c837d4578e36a63e94ecf8784e1e9ad9da70770b65a580034244d9f

SHA512
717f51419612541c52a9fef701a0d97c9e8e506ee8e92cc1b8037b5ecb3b15443a29874fb362686c25319847d91c65bcfc4f4d6943d81125427e169d508ece04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d45cb7c28e94979921863d8116d3a96

SHA1
6621f7c342dc51608e3dd448cc452811c9df6e00

SHA256
997aa67f46d522992b190206461683161d936f796e0e698b33daa3d06c4cf8c4

SHA512
2956c792bcd8ce46ba3b1fe3497f664d457f2a9002d5a4d21a2c17aabca65dbe88434155bc81234213368e714f0a7399249fe06c95dc26a7b47841dff2d2cfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25ad2f06608e34e43e95f20fff9c8565

SHA1
d379bae6090f6927a70aaa8c05801260213a27a3

SHA256
aca792e4d8ebfc7fc8d1311f1b7042877c402e9efe38c39030a99dd968a8c928

SHA512
a670e5ffd37446348e5cdb0e156cbd244965c151ebcf3b7f16843dc923bf56edfce61e6dbb8a498de88d8aad66c24995a0e56a7eb0c295a57e760801d1b83f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
edcf7f44f03e2ea4c64225f9ec4f9c10

SHA1
8ce8593dbb09421690340d9f74210374c1ede414

SHA256
08a3e03509b60bb823c15e4ed55c425e5f853dea19bb428a2f96b4a074ca5908

SHA512
65c128268f5cb1543c11eee317d6b66ce7a96daf2b5ff9a0e2a71f4dafb1ad5a7ab15ec982bebfbd9050d5a32e73dedd079155fb9d27863dd22754d6be279dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b3ace9534986b5148f01c59c33d8f92

SHA1
4c6407709cb22a75cc193350cbfbaedba577d5f9

SHA256
a96697f9456a5724adc61642db40bad5bc968e95809e0e936d93206835e2c947

SHA512
203f1de305b1fb861702328d71f7ab283903c0b5d0cd14b90e0ec5a465f95fd9d1077d466981cbbba2a03ac97e4d1e0ee5a2bd7d3b2f21d334d655bcb683c5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3aa395f0b15328c486db9797b578aa69

SHA1
3afa6beca67d9a87e4877d5d3c6e02e14a32b4ca

SHA256
44ffb23c2b5575e2081d64f8d55f7784875a916771151a1d404ea88811ccc5a1

SHA512
6491421aa0b06d81e0fe875b070d2a3916c0cebc5500ddc621acbc6b0f52c5f6c6edc7e8ac7535b4f05505110c5e6253259dd6b95e903a834f642ea2874af359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
634dff6bfdac8a47294cde1327afe6b4

SHA1
9fb3e82b82cd9ef26c8c30d70060f78bd66fb5ca

SHA256
8c780ba750158f9fffaa56232bde187c2d89f6c0bb6c336b8d806d320704c55d

SHA512
842f722dbbe40027a19119783027f16bbb2f818e9a5ed26fd1af84c76013739252ba13df5ff9eaa4e4dbb03c41d61836019c24f40cfd981c0dcc4bf1bfd32376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
348bf6f0242f5f75d7807ca7085f6a8a

SHA1
9219910c3c74e9384af4d09097c5359b1beb49c3

SHA256
62c2fe51e221fdf86d80f653dd1c3a74bbb3987a3437b6a902aa97c5f56d17e1

SHA512
a0d966ad64bd2a9a2e2ebd5bc9ceb73f6fc7008bf438ff16b68317b49bce37009f7246d50f298948b9afc47dc988f9165fae9d2d036d1a94b65fda380a236d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74f2635f9b1f8da33a34d2002805f674

SHA1
46ee58cbbb0c719051c0d8af533ac67235f097c9

SHA256
b57fb663ad9619f1e61230de3b473dbaa362560760426b4513068992dbb66c6e

SHA512
b6ab5304689ec2c3b57b2635d0fcc7af5a22b33cbcd62c692dde919d7b1db79a388c3af56026aa79b3a2fc07bf1e6f17f2132a23c87c73fc563f4f0b6f3ee9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c270.TMP

Filesize
705B

MD5
a0a457701302592c7d9aa969e6d8a842

SHA1
f9f426fcf65164fc2bdd0d2ec662df80ebe2dfc2

SHA256
533270de03a1c09042ab6e18cfe2376443b67580f5c413cafcf6ac833f5a4ed8

SHA512
f0fed04a7f4d4efb8822139ed760120c6fa844e89427bab691da53329aa4c19611ffc50d290d4407fd2d05a6f28698043b190fbea1e1240bfaccdaf282d3d759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b81b4d82319912eadf6f28f843026d4d

SHA1
51a08520f9ab59f1074fbbafabb49bf8e25d568c

SHA256
228763195d41d020a68dc0a294a6e1a93ca501cd0c5cc2c734ed70916ea57aec

SHA512
8c70fdb1a75a3bda16e4f4bf9d24a1d4b6db54c2c008d3827e9ab2fe051691571206f5b1ff8ca45ea79dd7d16426981006e3853dc990aa4c2217841717da0791

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
5ade398737c7efe64634e52671673b8f

SHA1
f9620a7eb1d2bdd2911558ad91df023e6c0421f6

SHA256
f52eb3b89daad1f8a9b8a049dea53c3b770cf53b76f2bd7eaa8a585a1b5761f5

SHA512
ae7af7c15db86c04ea7a80b74412ce047f7b9f23b45c535432ab1025ceede22bdf211f421f55b00ada68fc6b585f288328f7f26b34c6e15ec27bf82e639f2920

Download Submit