gozi | hxxp://I̴͇͇̣̒̄̄̅̐͜͠ͅ ̶̳̈́͋̂̄̂̈͂̈́͝k̷̖̰̳̮͗͒̈͝n̸͙͍̙͍͖̳̻̟͐̌o̶͈̖̞̰̳̮̺̼̺̍̈́̎͝w̶̖̹̮̺͙̘̺̅͋ ̸̢̨͉̦͕͉̝̳̍ŵ̷̡̛̼̜̭͓̹̯̱̄̅̎̈́̊ͅĥ̶̦̩͇͎͎͔̫͗e̴̡̧͕̞̤͇̭͆̎̎̽͒̉̉͘͝͝r̴̻̣̒̊è̴̡̙͔̻͇̗͐̋́͜͝ͅ ̴̲̭̗̉̄̓̒̀̀̅ȳ̸͈͈̪̈́͐͆́̚ͅo̴͔͙̗͖̙͚͋͊͗̒̇̏ǔ̵̯̞̫͈̾́̀́ ̷̢̛̰̌̈̆͗͆̽̀͝l̵͓̓̈́͊̍i̴̙̰̯̟͇̫̯̙̙͐̈́́͂̉̚v̴̢͖͖͍̲̞̅̆͑̑̆̋͑͌̐͊ē̷̛̞̝͐̑͐͑͌̍̕ hxxps://www[.]yyyyyyy[.]info/

Resubmissions

16/09/2024, 17:34

240916-v5tbvs1ajf 10

16/09/2024, 17:32

240916-v4qvcazhma 3

Analysis

max time kernel
116s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://I̴͇͇̣̒̄̄̅̐͜͠ͅ ̶̳̈́͋̂̄̂̈͂̈́͝k̷̖̰̳̮͗͒̈͝n̸͙͍̙͍͖̳̻̟͐̌o̶͈̖̞̰̳̮̺̼̺̍̈́̎͝w̶̖̹̮̺͙̘̺̅͋ ̸̢̨͉̦͕͉̝̳̍ŵ̷̡̛̼̜̭͓̹̯̱̄̅̎̈́̊ͅĥ̶̦̩͇͎͎͔̫͗e̴̡̧͕̞̤͇̭͆̎̎̽͒̉̉͘͝͝r̴̻̣̒̊è̴̡̙͔̻͇̗͐̋́͜͝ͅ ̴̲̭̗̉̄̓̒̀̀̅ȳ̸͈͈̪̈́͐͆́̚ͅo̴͔͙̗͖̙͚͋͊͗̒̇̏ǔ̵̯̞̫͈̾́̀́ ̷̢̛̰̌̈̆͗͆̽̀͝l̵͓̓̈́͊̍i̴̙̰̯̟͇̫̯̙̙͐̈́́͂̉̚v̴̢͖͖͍̲̞̅̆͑̑̆̋͑͌̐͊ē̷̛̞̝͐̑͐͑͌̍̕ https://www.yyyyyyy.info/

Score

10^/10

gozi banker discovery trojan

Malware Config

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
3060	msedge.exe
3060	msedge.exe
1864	identity_helper.exe
1864	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2144	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1060	3060	msedge.exe	83
PID 3060 wrote to memory of 1060	3060	msedge.exe	83
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 1148	3060	msedge.exe	84
PID 3060 wrote to memory of 384	3060	msedge.exe	85
PID 3060 wrote to memory of 384	3060	msedge.exe	85
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86
PID 3060 wrote to memory of 2964	3060	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://I̴͇͇̣̒̄̄̅̐͜͠ͅ ̶̳̈́͋̂̄̂̈͂̈́͝k̷̖̰̳̮͗͒̈͝n̸͙͍̙͍͖̳̻̟͐̌o̶͈̖̞̰̳̮̺̼̺̍̈́̎͝w̶̖̹̮̺͙̘̺̅͋ ̸̢̨͉̦͕͉̝̳̍ŵ̷̡̛̼̜̭͓̹̯̱̄̅̎̈́̊ͅĥ̶̦̩͇͎͎͔̫͗e̴̡̧͕̞̤͇̭͆̎̎̽͒̉̉͘͝͝r̴̻̣̒̊è̴̡̙͔̻͇̗͐̋́͜͝ͅ ̴̲̭̗̉̄̓̒̀̀̅ȳ̸͈͈̪̈́͐͆́̚ͅo̴͔͙̗͖̙͚͋͊͗̒̇̏ǔ̵̯̞̫͈̾́̀́ ̷̢̛̰̌̈̆͗͆̽̀͝l̵͓̓̈́͊̍i̴̙̰̯̟͇̫̯̙̙͐̈́́͂̉̚v̴̢͖͖͍̲̞̅̆͑̑̆̋͑͌̐͊ē̷̛̞̝͐̑͐͑͌̍̕ https://www.yyyyyyy.info/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb34c46f8,0x7ffcb34c4708,0x7ffcb34c4718
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10586393850653144591,16761956306817079340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
1024KB

MD5
6fb34b12a5465c3bea4ab3317d13886b

SHA1
ee795577d8beeb5c85f907af9ca1b91ac6597bbe

SHA256
ef3634be74ec989792d844dfd76fe3b46f0e2cf56ceba0d9cde8511a37b93d84

SHA512
609dd87e90dc02e0d2be89123ae2d662d3a0d77ad58d86a12cf2ab14291b290f5efab2f2165b328ff64942614fdb2ec5061051753318dd5720e1d8964e429a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
199078bcae11feef54a539a3ccd7ecf3

SHA1
c8ca50747901f9f94a822e22aa1679d4c2b7741c

SHA256
9881a0e8d56ac8df511f9c654f2a5ddcc801137242a680a01abd60f29ce33eb3

SHA512
58246d6071a79841bd5ef624dda412b52c6b5889f3fb3fbe7cc015b4446c7d740efd4867825352b8744503f7d9c5a8e272ca925cd98467ad0440c4d489d1b765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
854B

MD5
3dc65ab67cd35ab9411363f2ba089769

SHA1
4902fce2abf7c2421c68d4509e4f6ab4427bb362

SHA256
00602914ae2d12e3a48f5f0ea1ff35c0e17e4bac24aa1694be22247cc9cf08e9

SHA512
8f36b8c216eaa9bf1514ed8334fe384ab50a7d51b20f902e6c9a00061e0dcb30361994e48f3ec07571434b8c3f5fd8cb20979bc90bb0a9e744724a58ef28e13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc404a203d4f31e8e2951c2e1ccfff5f

SHA1
c2de7750f6a339f2af45ce2bcc18151f52620a42

SHA256
a84dbd47b0aa21bcce6f1195e688d01033a1130fb0ced143b4c64c3dbcca9771

SHA512
16b593571455a2f22265caf6b8a0bc2857094b7a2985e2723d7c71c4cc2bb372d0c60a48ca7946ea77ae03e9cff7cd7255654b5f8da190069b2f20e27a0a7dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f826ee8ecd9548de69cc6461d3afe367

SHA1
5f1c7684806ae5359f73cc5a840e23b7886789ad

SHA256
ac56d3efca1fea8dc47888d80889335197ed4160268cf63a5f805e9dbeb6385f

SHA512
9f7e975bd265f30bdc5dda76d69fa2c0b8456de97f04579e9436a93c124909f36d31fbb44916f66f1263b8d1158d35a32fa82ce1b9889815118e3979ce958d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
375337b5354d0230615713310e9280fb

SHA1
c56ebf5a8ea8c6f83e207f2973a97f20a89ae24a

SHA256
8480788e076639e582da5b001364f56f876850e0e53b29e158bb55176aa7f8c2

SHA512
e8e593646d775626b2d447d2da1cbd3c5b661dd3c14bb60fe12b3b0c77fc86e1b001c4c9be10768cc79d6cf904efbf4f4585738d6b1a6e51a30da286b1511406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
48bdf298bd058750c45dfc7be0bfeed0

SHA1
8213a0c4ef7d14263fec8ed3eac89909879d7cdc

SHA256
1a035e911f74765fada9f7424b932b414ed3111248ee28edfad45f3eed221740

SHA512
1565dfd72ace4028317800cfa87a8c9f24ae7995dad2b9e6c741de47c4f87569da5dbfa4d44033fd98c21098f742d14879a88c47a3f7dcb33cb6d446f0a833fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
8d7e570af2a4150a8f65e74cba3fa3b8

SHA1
ad7e3417a40f6b154178452d2a0f5ec339b7e33a

SHA256
f8f9db5a76f07ee4c29b6f97b1dfd05df9fd7adc026e9d53027953f860a1eeee

SHA512
d6fb03e983f684595f7d9c8f7076e3cf140e5cfb682e692e7368f02349a393227cfad550a36d68ddccbfd14b7f740bad55c3fea0d293f29a08c5e5ff7fad04d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
e6dea08386a628232456a6940888ffc4

SHA1
1ef2e35a5c40f79ddb140fcb5bbfeed334986339

SHA256
011ec8ccefc17bd2b0505a5d9d1664eadd3a59b17af16d06c50a0888222dcf1a

SHA512
e5e12d9771e382ea7cfed0db266a6d64c42dc551198aa5216a7f59ffbddf387c05b7fb3280b2d7c594036b1c292fa87f1fe7fb5ec3f09bf81d2ae905ddee7628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
91b377e1ddfbead15057722c7123cc37

SHA1
10ba88870cb633c5c0f903c28dd564e135b01f27

SHA256
a18094ecde3a335df4d8c0bcca131f8d23dbc86453b9d2c43f8c3cf5c0de9f4e

SHA512
408688b960e73e2d09287e9b5ad9d657dc0c7a7d32a73a20f5b396084ec7c9b2e4899e9603fcd7860d7de11c085e16af46403292f85c4a4b7954b8755fdcf1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
e3ee8137aae6f34ffb81b6947b9d16e0

SHA1
dcd397d0306496917d58ba507a23d4f84da813fc

SHA256
2b25c00e95a8fa17dbd75cdbc23a758d6cde10750058a7fd762e5fb54ccc20d6

SHA512
bb84c5bd092e678c51ba96b24d6d2f37c2a2bc27a5f2e6357abdbc8a92274c93bdff3052f1bb780bd91494bd7762353f0a6f0bc868bebdc71bd89c04984c4970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
876B

MD5
038e99646471863a6544a5aa3ec7c648

SHA1
5e694c79f315b09c69c2d162f6a8906d6cd7d933

SHA256
e89bb0713d99b5353500ad1f1c7230f5c0b59e0380eac64524ce481a05e5b99d

SHA512
bdfa042b4b8d2daf7e3cc7095488772a8edcfedb090e3ce5e62cb9bca172e44f8e239c4b90b00546bebcb9136386215673e0bd90be0f70554dbf6693b4b05ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585b69.TMP

Filesize
540B

MD5
2e8b43b696f743457c0177ce11d51af7

SHA1
1bd880021a7fff3d377ce94d87d1e212a10867e8

SHA256
a508365b64df4314c2e938bfb80ea3304f2eadca04380068d9dd51e0a4a62143

SHA512
4791b5f6436e3abdc1a967b16edc74d10b96234cc2364af236954c169b6c62a606db805ef3ed853669280cd450eb158f09b68616237d06ac3f92c65287beef95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fcd0cab174e9dc1dec83297996de8a6b

SHA1
f9edd050fbf9a2cc0d3fae06c4af41a295d3dc2a

SHA256
fd257ca8127f30fab2f360f5cab136d99f1365380452ccefd81b00d6492fb104

SHA512
884af4064303ed3be01a2f866fb62c5febb458cc3ef7114d65f5cdd81a92fc15b20f0ec01b90a5da8a505bee086edb9cc50e6feb04603b3dda0ff7d8c780e732

Download Submit