hxxp://noescape[.]exe

Resubmissions

17-12-2024 02:08

241217-ck2hmaxrgk 10

16-12-2024 01:58

16-12-2024 01:44

16-12-2024 01:41

16-12-2024 01:28

16-12-2024 01:13

15-12-2024 20:09

Analysis

max time kernel
960s
max time network
967s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://noescape.exe

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
5152	msedge.exe
5152	msedge.exe
540	msedge.exe
540	msedge.exe
2944	identity_helper.exe
2944	identity_helper.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5152 wrote to memory of 6088	5152	msedge.exe	77
PID 5152 wrote to memory of 6088	5152	msedge.exe	77
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 3936	5152	msedge.exe	78
PID 5152 wrote to memory of 2848	5152	msedge.exe	79
PID 5152 wrote to memory of 2848	5152	msedge.exe	79
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80
PID 5152 wrote to memory of 3864	5152	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://noescape.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6b93cb8,0x7ffaf6b93cc8,0x7ffaf6b93cd8
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5592 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3100937085756904044,2741029873803493449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004D0
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
86ae1d81630614ce42789a9593323382

SHA1
23528fe47d0cc59cbe65d8ad9c4a6940ef9a247a

SHA256
d7157680936a27d6d03782c91354701f7e096dce7ce4e30b5d99b339772c1b0f

SHA512
1009ecd3266c7a1517d73897e2516434620ac51a2e102dd72725b91ff426b66c20c76e9b4a23cac05d1b689b663e191c0b61175b6b7f54a84a4273795cc2b4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2691e41a39128000ff034b41df77f704

SHA1
994f445041a720d99048f4699573ec0f338baebf

SHA256
3c240a0bd78e814933419cdc6fabf30ae3c8ea7448d3437157c846b58b9197bd

SHA512
f266b5f3016dff988803c9605a319c660d41ca31aa1a7afb2e72748b13996af350512da59d54079e40f901a9876b497993a7f9bbae55119361ff8f8dae4bb9f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2e6aad778ee8e18287c9a44fb4fa32ff

SHA1
7891c5f2b58db98f4305d616d69640bb3703e8be

SHA256
959dde53481703d4764edc4932eabb38245c889784ef9d22e78c0a137ff769a2

SHA512
b4d5594397d5d422a12001b220184f795b7fa064591870f3817cbc4c678e8fcc62f68b120fb9ae3097fec4da9b946d99176925f7350baeb349a79d19c4e683e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
785cd6a7107dfea964963c69d644a268

SHA1
c4801695ca4a411ea052c0e3caa299111281d720

SHA256
fa03e2ec244a8cc6cdd3f670df1226a76d0e5a5c3319c7c1604b98cd5393d2cf

SHA512
1f5293de020ef0ec89aa9e7c791341aa7b9a6e20eb68e75bf62d41a41336e92310a6eb024f1bcc01ec39624de80e75ec92a7296e2d48c5a42d1de1c883415a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
45805c0892f30500fe7b5d2317ff2a3c

SHA1
e4f07229804cd0f415d15deeab07543abfbe85e9

SHA256
314d8da1163397df84b2b3630fd38cb64fc3f3dbe1ac8c4fa33e8e1cc7bfbcf6

SHA512
7cfbda75b99cbc0c4336e0136df40eb756a092ae0d945266c158da9e97e6ea09f2205eb24df2b9c7fb72b810f03314da5ccbad2e761f4c89e1aaad81d47d0a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46443e093b2ff712d910c0ed2f85889d

SHA1
21b085072a21354f94c7b33d6ad23cc22ac30ab4

SHA256
b250aec50bd292bbbaf3b1fc5e30051419cd11aa220eeb89602d01303e96441d

SHA512
0b4b50a91471739fa87e857ee7d93a623cb13c480c593d76131437c8bc9ef198505eb8420f441fe243e23ca49ce9accbaca9d1da609a137635b37e083dbd4c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f9d86fbcc362acc2d75e5de2bd301065

SHA1
2a6711cb9292439723afe4aa0f53c0c0abc0651e

SHA256
04076742d4cf2741c7bd165120dc5fd084ee28bde022a2e76175fcfd85adcd32

SHA512
d5a8f267eeaaa0034ed7bd411ec06684935d4c68041f83b7a61747d6acb5b742d78d928321be4e24c4133bf517bb368d88fb2b14a14ccc2023a87560997e7c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74004f63c51919f27dfbf7e59563437d

SHA1
85e03e9a685db3e0b2808241c9b3d3e8e77800d0

SHA256
a2f08b3dae4a1d0d10a89c361ce26d5d00875598cb203fbbf141f341015a7145

SHA512
eeae969caae50676e20cd4288dcefa10a2e528621f9977a770c3ec53fccf83cb38f3cc52c724a86af4a98065ffeea70f25589f9fd3205e673601f1f98f09b7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9a15ba91f584cf220236a2acc8c6bdc

SHA1
6f8580c0e164db064fdd04f3322a12c1df17590e

SHA256
b140b1e7beaae88c99eff6ce8e3e9b6c6d2263bbb8aa507826a834ca14898e5f

SHA512
5d50664ba46cf4d6b76d08269c0ff157e48ab2663a90fec0a6e79ad1e88a78c8e25c89603a0a01ad4c97ca84564e80d15393253bf9d9588bf7d411235c08908d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
442a2ff0ba8b986b1d7f50d6dd99d7dd

SHA1
8585f436b6ffab014fc8d9eb748c8e6811fec2ff

SHA256
ba3f11537a52ec3104c8c1618c510a0a4e137608264dea424f509bf636fd8aed

SHA512
04fa2af9b031f37bbfc5886994a1cf51178eeec5107eec8391a1e816b2863077151720a8dcbc5f7c436e661e698522b5b3b03055b7908e7c97412d258b5b422b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c39d45dadc90b2c48ae19e15fa1682ee

SHA1
32419a7df680f0bc9121252f55798b335076847b

SHA256
9e604bc7b78e1b63e031816b39a013156fc525526b913cd50f14d03b8bf12ee5

SHA512
47448dbfdcd3d5d28f1077981843fd4b820b2022d8ca457ef9f5e36cbd39ec5e06b8ade8d094db28e936a8b21f0ebaa07ba1c102f5e6d8549e0393b9f31dec00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20e7d6dd7189c2f972ed88bad8fa7249

SHA1
1b9f15b7685104d6f5e34d8ba86e04aba9043ca7

SHA256
c10f7abc12bec52c83abab4387c3c0e33130127252b1fc1d6fdb955d13439350

SHA512
1eedb00e6f697534fe1bea59e94cde85715aa89bcc1fe64a9e2c716f2ef46425e2281aef42ac7ce108aad2d800a58fb4665eadf9d34cf63f77e820690bdcfb90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5db4fa1ead0800a536e4ed049359eede

SHA1
4661651521417f86088fd0bb4071e06873acf40f

SHA256
4b46fd8557e29e3f5651e24a9d405762d15d7ae36ec73b09fb10847075144112

SHA512
a279ef86168ebf9c67b9101d904c9e8ae3c75283e9f926e3bf4b30f9a00266e8d93ebe27061431b7d649236da93337d54d1d9e95034088b3b8376da79c0e95d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74b6a57bb81d79a94ecc88b6f74d900c

SHA1
7cf9ad303237f02e9394d1be6079b6c3b02fd76a

SHA256
6b9a93829924986cca348084aa08d9217c6fc10d6fba67bd056b4e2283dd8677

SHA512
63151e0760995ae65428c37f948db6f633d6a317e6ae752b0decde659653e9472aad488f24ebcf315e260d913397c9dac7f3eeff39620efb73c95fb49d6f2b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
d3b37638dc583445421e0147b6707e29

SHA1
970147f44251136c850a3157f01d1e50e47e5aff

SHA256
00fba69b45fe948b08f5f6c070ff7b32a1c976e7781e5194cd81136c4a4277b6

SHA512
ff7d5cd19c6decfe2b748c7e474bc236e0a08f178db602f3149cab71625c822d81c5c5463b57bfc511ea5a19f407e1c4d4ad5a230e04441b780a63d10d359cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
a40aaecb0e4c76ad2477db69ebb6ca49

SHA1
12609d1e0532246aec9a9f2e73dbf738cd90adf0

SHA256
5c311111577ce421ec5e6c30f8b8a227189f66ace51bfb9b119f8642932fbbc9

SHA512
af1605558734a271ea8735d6ba23c8ccdf9fbc927b3c7b2ff581c59e47db84316c1610e6413496af18106fe64d28da64c79f3803f2e75b8dc6ff058bd74eb01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586359.TMP

Filesize
203B

MD5
925bb577a78c30347fd2c7bd85dba238

SHA1
b7c6b51a1d2aaf90327d2d5f0aefefb629ada93d

SHA256
0ae1f2c69f9f4df06c53fc0371aeb9d72a4d30cfd25997e4b79b1e2607e15748

SHA512
6c96ec83112fb4769e8611c4e34ad0a6826f4bc56c7278ed8c35aaa693ccbb2d9aa5c8259323b1ae787ce76cefda8c0693bf94bb1c1fac2c1df139c6b946824d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0ad81d08837ac445acfb24e7a1b20c57

SHA1
19637d4728c1a52b7668d7f7ee064c96d93c00cb

SHA256
ba14592a08970b30855d702442ffc4702acae9e6a20218c8bbc80ba17b99f7f7

SHA512
39542ac6aa8cf0ded437e403538d57d445afb2309e2e4f84e105ff552d37853e7bbbe1083ae98a6eb045f7fe3db8e299306ccc3a17c1cbd7566a8be3dea24822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ccec379dd81479c1650b8346631535fa

SHA1
eb37e0dc556d8047e925ea087af15d23228acf56

SHA256
75659a220dc58bf058512478b82dd5c50b4bb13b2027906b052e79f39cec45fd

SHA512
7ba14331de2b27bf6b0b463a14a1844f797064cb8696424f7448f0e44176e5152606de4b41fd3bfd11efc52876861f46e5ff6bf5418604b8355f593c61cac81a

Download Submit