hxxps://solaraexecutor[.]com

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://solaraexecutor.com

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
100	raw.githubusercontent.com
101	raw.githubusercontent.com
102	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{64569E84-9C8A-40FD-984F-38C27A88FE02}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 381889.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 489575.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
1392	msedge.exe
1392	msedge.exe
5056	identity_helper.exe
5056	identity_helper.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe
1392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4272	1392	msedge.exe	82
PID 1392 wrote to memory of 4272	1392	msedge.exe	82
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 2996	1392	msedge.exe	83
PID 1392 wrote to memory of 3600	1392	msedge.exe	84
PID 1392 wrote to memory of 3600	1392	msedge.exe	84
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85
PID 1392 wrote to memory of 3432	1392	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://solaraexecutor.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd45c46f8,0x7ffbd45c4708,0x7ffbd45c4718
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3268 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7432 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7329200232991581412,16941236111933020346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c 0x2f8
1⤵
PID:2944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
41KB

MD5
fdc0fca51c36eb5c7ce307d63de232a0

SHA1
5577debd68e0d8a2e0255fccce1898b759ca8827

SHA256
d530c57d71325f2866ce0cb5bde0e2a62dda47eaa4661cb0f466ae94495bbeef

SHA512
6458c32a7938df09fec6648914e9034ea84756aec2a906260001f9b33a841357e4c3bcf432eb29842d24457055d81d291ef23381c09b40c95fe46ec04ce28297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
9022525271501254923f1c8c52cd5c69

SHA1
410e944ab7bd321da85de712f7a53d649c0ff4a5

SHA256
b56bb3d37ce572920fe5f5a1151c9bdc557513c4202ea6d2d1d8fb4e3bf97ec9

SHA512
0d95510ef7700a1c6c60475dfaca3840365ec2c46f3c3c80724a0ad435f94df43c64cacea8bd9b44f734cb67a062530142f4599f69475cd934ec54120ea75683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
632fa41f4dced75bab3dd81307a235d0

SHA1
40f6d7ee195053ff818fda23375c48c84bb86f23

SHA256
6e007cb157349a29614be90a85581fab70fc172c7d0d6921ee3b0f5c0aeac5f8

SHA512
ca166692ec95d6bf31b392626aadec023da36037407307a18401c722165e545a374abc8b2e61f64074ca45fd8d442cf609e2e648ef42ef5f5f24ddfc46a432a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d4696a0ea9d973da36b3b923df066184

SHA1
cc95a4ec5edf8ea935016835a051d086d16f8ce3

SHA256
07e21526ef0ea02baa93abc1048b174ba278d139b38dcbb0c5ddc10d8cc66cd6

SHA512
df9e3115f1fae5da59829a0aa7b07d120b6f29663d791f5076b61b630536f0481d3e112908adb91c0074a55ff71438735fc7b9277e0f205f100feacbd974c144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83bc19b59c8c3c379d9c257da6f69230

SHA1
91316410c2b83d72dd3f174d49224bb994f03e12

SHA256
781ea1081a8cb44fe7d8ad32c2fec8df4eca469adaf3ee776f349bf9b56a1516

SHA512
866de70047064ecf1b24ef8e05b674a7c576698e3d0cab358cf226da347734068017d730279347778dc7fa3bfefa0063aaebde0a20d20923b2e7e39c00a58867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
608deb7c364e1cc52b5a7338f2d1fa9d

SHA1
a1203b493570f325326d9cd4723967af5d10da8e

SHA256
9dc3f9a221d86e9c0531dab079552f37643f5d16d39a0d0d8398e860d77afede

SHA512
be3d1d431efce3e63bf9b62b9d3a73a30a38d33c9e4775e8d9e18e21e9ba18fd987f431b5d55b27d33226b36c308d6d3af7159df5f0cad07c612e0d424f17e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
59c1cc7293d504f3064f9336e396bf40

SHA1
77489836a6a6f9c8a14c512c0485b603fad03cec

SHA256
295503a1843ffd4b8d6bb663bf896a88452ee2e2cb096e4f4aba82430c8f3f81

SHA512
c7726a86caafac5435740272fcd0fb89adb3c0930f07fc37c37c801f5dd52ce266981208e278d74b3898971e86fee9281b914be21b0c5fb08c2a6b2be854ccc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fc9a2c466857ad9b1115477a99fed4c4

SHA1
6ed5abcfdae40c32b0ede3e1c28305bce2531ee9

SHA256
53b9116a08522eb61fe8716e112c5d8fafcb301960b2dad767586ecac3ad94dc

SHA512
2ae3b8194abf82b63b1a9a0d9672e3a607a82ed4883ea707cd7459bb99f6271e2e7a3a205abf1b9afbee494faa0bfedd27fcdd7335e811236b06462505528b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d5d270fac1dfdfaa385feb36f774bea2

SHA1
6cb8340c6b2dcec0147906c7177d09e0dc3623f9

SHA256
cfa106ce9cd6dd192ec8e018c4ebf43018f6a430c4fb61f9c2a80c8d4efbcb94

SHA512
388186078c3f14498bbb3a7f43e92ea343cde3192386cad2bbc4065a100f96de04942a99ff1884550fa82b1b5e52e29ad0271bc27cc2b7de7ed67fc6fe673dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5eab070b4ee9ddd68e0959998d4b0ba2

SHA1
f2f9c2b0e7749421f143e7ec102c1315ad7ab72d

SHA256
646e39a1fe231b9ab0eb8f352ea2928aeefcf9fc033b9c0b1b608701fb8b1bd7

SHA512
c70f2f1997018da50cf1f217a6ca8f8882d83a2a27cb560dd34b020c5dc6413917fbe96dd92827462afe46a9371853cf6683fdd7daa8bc8f1f8e52896a506599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
72549d810722de34f18e925c93a77f54

SHA1
fcbf5de585372ee69bc822b08138be4a769d2a3e

SHA256
eed6fa3e3f85268a17902097c60a641df90adcc9cff4a7ca9c052664ce28df3f

SHA512
adb81b9b267cc38d2877cb87a01ccb39809997ec39a664794909b6cd2c4ed317c3d63ecc20a13cf25a1ce2586032818c76a90847052218286f1beb46db6ded2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
3df15fe4d6b3c6b8fd7ba39112dabc90

SHA1
79b894bf9be99d4226ec74fb292d00c62970b85e

SHA256
8828fa4c1156828f8a34bf56722f521f01e5db452498b19344c9b5c12acc53f6

SHA512
4af2d27143bf9f13c1347f70d7ec71ea3cb3f548c4e31ba6e00f15766e707681d9066e48126182829f9be7090c6ebfcdfd9787b04960dc1ab6deb974188f45e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
4ae391318c96daff2393f15f61fedacb

SHA1
86d572bb0b1518514468f44e321cebbdde17d5ab

SHA256
588c7ca8ee76d4909f2f12774a873c7f392c12ec9fc11e4825b25a01c7b5cce3

SHA512
97e18424352e52a388e0f6ef2723f7e0cea6a3bfc8a16b1a3cf43433bbe2fa3cb2abab02c77ee83aa6fd5f3796ddd2c21f4dc33f93b88ca12688b96ab05d37aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eb4a.TMP

Filesize
204B

MD5
f8442566504a481bbd2e5bfc56fd2b6d

SHA1
f958d55bdae9e153ae69f1d4dc9d7229b8232c0d

SHA256
7c8caccaa73176bc4462f0d7e870b9fd6e621e62e60ed0f650bc45cc86f7b613

SHA512
8d015d79107c205dcd06e7507ad4b8956a357d443d15fb174d4f3336bbf4793b40ffde7e56ea37f562a82d20e5b93b490993abc90e7588e1bf69d90bd09f6101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3918549eaaf75b4b4edddd9a2fc4e70e

SHA1
ec4efd655f2000cb7303856bd55185488d298a5b

SHA256
cc73987018bcf79273f8e409c27ca3c7a1b12121a66a64e22586f4606c91ad2e

SHA512
a49520959e4ddbb9679c359b454fb99233284226413114721382d37ce8cf410a8909a9a3d4196ff77b7901f75b55c93feb448f29e6b1dce9509c763f18e5da4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 489575.crdownload

Filesize
795KB

MD5
365971e549352a15e150b60294ec2e57

SHA1
2932242b427e81b1b4ac8c11fb17793eae0939f7

SHA256
faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

SHA512
f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

Download Submit