hxxp://www[.]poki[.]com

Resubmissions

06-12-2024 14:27

241206-rsj1wa1rcs 3

06-12-2024 14:09

241206-rf7ams1lgt 8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.poki.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1880	msedge.exe
1880	msedge.exe
212	msedge.exe
212	msedge.exe
2632	identity_helper.exe
2632	identity_helper.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4196	212	msedge.exe	83
PID 212 wrote to memory of 4196	212	msedge.exe	83
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 2096	212	msedge.exe	84
PID 212 wrote to memory of 1880	212	msedge.exe	85
PID 212 wrote to memory of 1880	212	msedge.exe	85
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86
PID 212 wrote to memory of 4404	212	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.poki.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad24718
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3275598766298033016,1263226386754752570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x528
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
27d9344de055e50044e074ec3b54231d

SHA1
d07ff356acb90c9d4fa1c1e3e48188b1a2eeaf8d

SHA256
d5c1eb2d4d0a13aa42ee68f03218ae01f420003f64f572b77cbff7d61edff388

SHA512
ad045b2f4e6d58e43de1e26a1d5c0a46d912b65caed68ac4bc07f0c26223c5a9927a74ccc8956e074ee74db6e7b05415f3baa3634a714f3048278982bcddf26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
102b9fe7e1a6451e66f2654235ecc30e

SHA1
3a53352f4c7e60faca81b610f50ee2b774e1603c

SHA256
1f277de05a2446ff70e3c7386f46ebf62a7489ecfb68735a0a2544939a3a36dd

SHA512
45087dd5dae480dd1d87eaffb1572c29a3edb3ed3348f0b53cc145e839c4e1bb50d5f68702ca2e10b95c48a610cc999a398a4c7c8bb462e0dd49b382a46e13e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
163b8cbf72bf9733d0bc21c1578d00a8

SHA1
72ca7da3ea71e18fe48617d71297ef00ef5fd67e

SHA256
a6d29ba06960a7ef09fb38e147221dd93c9b4437b0cc50808831c1e2dd85c2ed

SHA512
fba9a09306ebaced1b9394d0b29e7746c71eae861ef30cd81020f6008e97412f853a0ef2465f91d811797081f35e29dbd4dc07dce89b33854e41d464eaa19f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f66183a31906434ddac30d53298880a6

SHA1
0d9360799e38068fdfc473af81b3a4123f097de0

SHA256
72049245e3af081b4cf03bd84fa5e40b67b84f5ff566569d3af1b2361f2722ce

SHA512
0eb54f49522773b3312410c909dd501d4a0797b282d20c284564949f312ec0caaf7bf87e2fb1de5825aafccd9055c5f9ce18056845d062d26538c2b724746dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f26b1e8a48be532e869c8a5cbba0b230

SHA1
c55b05b3ae6b151f9a02be8e318be9a1f00f332d

SHA256
8fde87cf9a473f049d4d90d3532cfa80cc7b9c77afbd48998041a1ac4e0ceb8a

SHA512
9a75c83bc74bc656f1359724af5bafef61619bd6afc710003e66c164a54eb78090e7c339cc5e781eaf2568e55efafdee106365682bf31007d6b03348ab200c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
95e09c1b364c091cbc1f361c62f85c3c

SHA1
6f3ac953544eccaef67e9fd00389966048d3354f

SHA256
d976871db8e5b4c1e25762cc52c07c691c6b2a868adb2abf11da4847fe8377a1

SHA512
58b2af025c344949cc2500902c2df274c09760875c875bb55c4da31df3e76e09d5bba6ed317c2b9bd7aacd49da9d0d8d82c57298285fb5091fdd6a9c175000ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3db9bbfc67d73a216f8ba9ecb2fb49fd

SHA1
72f1ffdc66f0252a687ffb8de2f02f94a303f76d

SHA256
c09e2fedf2364a16be3b3484cd5794bf2caacaa1d8ad9946019780b32b6e209f

SHA512
8bf3e3070152c87128685b568e4568f78874da92274673d66684a5b7d7e67c980c66c4ba57e625590bd93ea8f6e6d72ade577fcd1f19d1233bd8cbd26e94a80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80cc1d2a282edafa23b16f0bbc2902b3

SHA1
63802e831811c2f5af1537243370d7e7886b7d1d

SHA256
65d79b243f23e9e1a297b116f09a2202f86e54f3e926cdc5fc9cb9040c779d4b

SHA512
35b12af84255cf33bbffc38c7e5b8d9bdc6abf8c15cad80b087859e6b7077db2a0a5158735653314077987c1d890002cd25f8540e3829e639d94730b0f9a6704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
18cd833cc0d7fef30ff18f42157d736e

SHA1
e553e8bd949398227c3f70876eb2801f7a329356

SHA256
1af001c8f705e8c4388402af53ec3edbd7f205fd1671fdb8a5711d49f91d4b3b

SHA512
e2a7a2c0b28f6b96978d2d265476561030c75fe87e63e3bbfdcee5cb8e78da938fe3461e18ddf916caf30f601efed33b30b96cc28a0206add880ef561819a2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ea6fe8a8e4022f104295a9ecc7cb38b

SHA1
3184e23fe25a8b78f93597856ca26c6e0f63b49b

SHA256
2114c79dd4f13296da9951994927f53e7b3b6b976bdab86d35905e156e68dd96

SHA512
dbadcffbe4307a73a4db14d0529f78b726ce52c1b533ed6bc2e9f6d551202c8818fb66249e53d0c1a1dd5b2f575970cda3510657f2699d90c386cb3fc79546a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
28ee9507f430210180c68f709a8c3248

SHA1
ec071f2b6f2b21270bef79a897c33756b17da7d3

SHA256
da6d33a03bf7cc2f40f9fe7675d051aae9e504b1e8a5a92e742414fb7f4713e3

SHA512
f51daf8c0e94cb5ab36213bf3737383c3f263a4581c00caa2f0a2f44193349a7c49f0f623a8dac265d3a2309e9dc4efb7c495b64ad10c84881aa7f4e50a82e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6d1c821f1ba25e5ea961889f8a221462

SHA1
1ffdf09b34871d312807edacf3e30e31938fed3b

SHA256
d10da285b25cb80466aaa01b0c9fe978514614cb4380ac0e8a1efa514d1173e3

SHA512
18027917099e2e515dca1e0fc20acd67d15ab1293d15b5e2375be7a2b27e072e5865532108c4c82f4edee7756b32bba099f1a5c9721d86e76664dc6319e53bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
762ba345cd53642a77335b406df39e31

SHA1
1de0d9983705debb620130b6552e1dea1b209252

SHA256
6a2231d83e15f8de25c049a40beebc6ebbe4c3e5b55c9751b2cd98721fa5df8e

SHA512
5adbb33853263b4752e8cfbc7150085b6f652e935d8ce557a36051359e0fc0c7d0b70a640452eb077cc996c49c0f27237f3690b2c872afab865edb81f30553a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
64b8c713ae9eb156590bed322b18c5db

SHA1
f24876e37659c687bc81f13fff1196f8f4b5f834

SHA256
14df63d26882bfeef401f2af4e722a68830bd5193d11657df789861f8109b2f3

SHA512
e853d88c83ed5e57c6d9ef5370760f23473d8c3acc1601b01b65cd1e9673c94e73f67657e26c32d26013a2f86a7e5e279d2ae9f3a0312cf8b4425a374be06cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58023d.TMP

Filesize
366B

MD5
56ed1fd44ebbc67a8932077a6955a36a

SHA1
9170c653a5e618ae790b9c393ea4dc3c650d6d10

SHA256
9c981d033f65dc6d6e17609237972116c70bc9c6ab242270e042f4f8d77281ef

SHA512
c39e1108899e04b23032e75fdfbd12252425811f5994d2ae80095a025cad80a07a1ab47e8dfb73e898eb6f5ca4fde4c4e5e3c6523f4b59e966f525a24b622d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c9ee238d-5f07-42dc-8984-35e764656d5a.tmp

Filesize
1KB

MD5
f34ec48c39ad3c6cc6aab5eafd63c35a

SHA1
507c4cfd26c1dd8ecc7771eb19457f8d4b718dc7

SHA256
3fbc82845d7225e9e9ace1cbea09571c9e06d4dddc7b49c43cbc662ee5ab8e9a

SHA512
258ba4b6f8d3657f9e4e78c5a6d3371536a69a77e0eec404ad4654bd17ef6cfccf160f83284811339f04c12b9b5c8fb0664dc158641ad509b5d599f91eb2d635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
71c3287aecd19aec2d06d222b8542e62

SHA1
5f3d3f000fad6d625faf813ea5b3a73b74893951

SHA256
343dbc8c3ed1b476418e3271e33e6436b63990d1be7f3157d88d422d1d965937

SHA512
c9b1141166ed3a83a8dabc5a977f5774589b8dfedca3675c78d8acfd4d2a639e14a6c596db7dae3bd378c1e1e1f4322e1ff8ee466b965bfa0052b6eb0954be8f

Download Submit