hxxps://thetvapp[.]to/

Analysis

max time kernel
210s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://thetvapp.to/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
1472	msedge.exe
1472	msedge.exe
792	identity_helper.exe
792	identity_helper.exe
3180	msedge.exe
3180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4752	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3980	1472	msedge.exe	77
PID 1472 wrote to memory of 3980	1472	msedge.exe	77
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 3100	1472	msedge.exe	78
PID 1472 wrote to memory of 4504	1472	msedge.exe	79
PID 1472 wrote to memory of 4504	1472	msedge.exe	79
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80
PID 1472 wrote to memory of 3408	1472	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://thetvapp.to/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb9773cb8,0x7ffcb9773cc8,0x7ffcb9773cd8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5656 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12268986078725272643,8507019318910262807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x0000000000000484
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
59KB

MD5
b3ca2c5e0165d6b2cd7e92f2af28219e

SHA1
1affb914c2ef926161a6776e23ba4c7f43f255fe

SHA256
20d18e1c2e86cd650f6368a4ec3b1e6dcdfd8cdd93160fa354d7cde60f0a51a5

SHA512
cb6b0f0eefce264b49339b1bf350e2622e8b2649ad2741488ee47ebf9604f168d624e93f2f2931775af62aec30ae22b96a4de33b56ee5ac411b812d04dbb8518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
108KB

MD5
083f48f280f411df9e70c29b295ef3e7

SHA1
e34a74ab2f39d2f82236d4702691d45a209c5942

SHA256
d12a75ad701a949b2b263c3ac34987669e6863fff113aa3063ef94a184d193c4

SHA512
0b511f52054731656399b9b22549dc21e8874f69320dbf4c693c86b3764149b44ce5385e62799dd9d41796a9f2080c4899a686154dec8eb0977835b190f16993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
36KB

MD5
5bc2d587fff8dd5375f23085abc58d2c

SHA1
01aeb26f2ae1bf6dd7f900deae1b7bccc26e8ff5

SHA256
7e1409fe9ba3597bcd67d1aae704cb59fb09bee820770e965cefb575c60fcedf

SHA512
9760633ccd0576df82515f7ea9403eb1f395a95a0f6890cc0874f3f759240071e29c446b98e008aa9b5d76ee9e66b3d51902bb0a8bdb09e44ef2c5dcfaa18dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b430ea0adf06688799ed3bc4e56b2a5d

SHA1
5f14b5e18e2fdeffe53a3e2919498be3cd0658fc

SHA256
54d79d9da5009db7129f87cdfcb9e90d6a8fc68eeaafb7a82a76e9b235744f12

SHA512
e16c3052b243d5fc699e3ecca79d5e9f16687923dc8ced6dbc397eb6c34c3429a891dce26425ce9e5a2414f5f8ba6482e72cdc703ac8515e92ddcb831b185a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6ca0540e6f96b2336f314709d11165dc

SHA1
bf6dceb41993a01b6b11637a608ce18fe56efb88

SHA256
22613ec7a80e9cb709acec64ff68799bcba4e884861e78bb778cb15bb93a2b58

SHA512
c74bb5fbd6bb5d71b737bb67f15a3d38133adf8e38e671e1a65038bd7795d34eaf19ebfeb9fa70bba92a54831d74b83a18a445bc325e0ea9b079a059b01014ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
72B

MD5
20b91df46f6d6b7cac0f20c0526d33b2

SHA1
013b69a3192c04764082e531f93ad1a0a1b7b0c0

SHA256
c12e7cd80ea9058035e643c474ad8268c8e31b6a823d81a7753fc99faa5200a5

SHA512
b0f41414ff80809d52fd0c6b3de4f527e52e0161397d11a8d7fad7c18bac265500eb3a7b98cefb297a9ce910faf88df30cf71eb43fe660331ea3e4624754a3ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
538B

MD5
55cc94080fb1d5dd3fa462377f614634

SHA1
fe54d38e5171d38f867e30376bb606ffdc7e818e

SHA256
476e599faff43a66720caa93a28d23d8f1cc5a19e2b2968a00118ec196746e27

SHA512
91e246a1fde1d2dcdd0ccc8d68b734cb413201c55dfda44847cc40f7b72ec272d8f9ec9ebf4dd15a354cc82afb0aaeab7d0f9aaa8cdce362126820e8a6a9aeb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a513d769a2440259f3506eba13ad2708

SHA1
1125955a34378631b96ced61ea5dd5b84a5cd158

SHA256
1062c929aa63beed262742cdac49f5038bfeddb58560af5a284c64bb4db3d1c1

SHA512
7cf5b153cb8c0effb2ed7edd11c5f5ef8d38b4ca56b032e2da4fc06e9142dd5ea1b89cc44acea5abf9c3a84cd8318ad749428a7ddc1587d26b3f0dc057b6da96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
441a29f0b92c23222ed280a289c5b20e

SHA1
1a5e8ebd82bf5987c3197ce20adc338815f2d009

SHA256
4a8ca2f5d418d0bb0840dc0500a546bf5664c8711edfa895793d9686c3037a07

SHA512
27e99f4fec72e983ec86a31f95c1d8b35b27aeba96e613132620470c32f4c28aad0612ee2c88f5df76dbd37185d57317d4074e3169ff80e84ef15b4ed765b8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d4c5d921657c1a45abcc158d0fd1049

SHA1
a2bc2f2451c105379d8e12dee6c9103e3beb27e6

SHA256
2e96acf69fbd435d0f283c63ebfb864779d66cd9823a8f55d35fed771d4f778c

SHA512
46919b59964ecd94f1e3fd1099d7cd1db0d833f0e60f14169f934439ed5f2bfd96a1be8dc8fda450c203a41f862a706df0ff1198874d6328687287931cfe38d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc11663650b6eed154cad3f43dbad63a

SHA1
5e0949ddbb7992106a4d0d90bf4ac5119c6e77d0

SHA256
745da5a6f7a3e0f24265d635d23a568998dc6e2cadfd794035bdf67de9fcdf69

SHA512
8bc74cd4a3af1972791bad09bbbda12a971c35ed25dd28ebae05d0cdd394293cefea813d33f952419ad8b1a74992de9ab4d904eba70d6f1330497bdad9a593c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be95f9a26a7f91712bf5e6145f143ae7

SHA1
1734602a6cafed0fdfa6f21314bfe4f761b3e915

SHA256
e427e286abcd57379b8aadc0e6684d9195743025b2e226ba5544235f1be25040

SHA512
6366198eed4a2e219c27b98e1311f43936de5b5c3a9ddefe2409ea803f90d5f570d39a0b3d80d60430ed7f8a3bddeba8f9be8a2e725ad83d15e6864ef3dec6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e8ceea6a14c916f92ead2c98e6fc8888

SHA1
fd078788ee7ecf1a5f3426e1884b949fbec3548c

SHA256
8838efbd6be1a10b88143ab84563316b58780bbc38bd5a041a1d577d80a241b4

SHA512
aeca98c24c5f8bc6792cb1f2eca3c9defeb0a541eb58ce5e1089ea66abcf38e811e743889c98ad6606b8b61c0711ace97dab339a928200aa3bb7014259d3a20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
23c6b735937d5c10045042d46e00b152

SHA1
26a300baf0c55359d4ece786854f92385fecb379

SHA256
b7b9a5f861208400ec05ece87d5ec982a8a947b575cb8c265264efc9461ae02c

SHA512
f7302b1e045d09046d7cd90e10ba81ecba6adc389e65d585961bd51d2df294d6778a6ee5c90aaf9f530fe265a63e79574be6b6aa15d685ef35cf869c7c090e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
125KB

MD5
444b981eddd38c2fd71410e133e6f123

SHA1
6ab074e539ccaf6d3913bdb6e5a37ee4430fc0ec

SHA256
29e9e8c8379df041e5458c470c4accec8abdaf91828981a7f2ea9a5442d66b3f

SHA512
97fff0a0f0514021cf0d4a1cf1c7d5afb936d6f73f58f4a985da6aa7ab85de3bf5fae32199825a1127c23c8aa3382f176ed02ca23a4b260596eb096ef2661e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
aa9a9387471e2e1e9db030bf718386d6

SHA1
2444715811ff230f622f567065e9c9976eea7469

SHA256
dc5f43b70f1d69f51b8b900493a23213a7484bb8637a7d98676d0b72d321fbee

SHA512
4cf40d07e3496449fed065a0a3231879bcac4c87c42cee6114b85327a991afb91934d0b062a861881eeb3489af77fa6139958546271d711337e86e1b7663ce3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a2740.TMP

Filesize
48B

MD5
38c42303b7375f5d570034f6f1bf2d25

SHA1
643d60047e93e7b3f1f5d7cbe54a8f1db0eed1b6

SHA256
fc6eacc1d3ce212344dd765eead55de612a2a0e238243891ecf1b0fd024d5f7e

SHA512
27c9ed9bf883897f555b3c2b0dd81172814f651c0fa33e1344958af3d86f16e1e434b660f6e35b85fbbd324a3853034f79750895cee11569d7f5ec985b130168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
529253a4f2da2092108edf989bd8fa18

SHA1
ee0761b2ffae7b31a68c58404b1b7cff0d56fbeb

SHA256
dac89ec3a0d0a1837966fc06465c86c22977cf8450de57294a26c776a474bc5d

SHA512
9fda04c1c339f13a1e99fe8419342fbd1fd0045393c66c482a2ef2db5a8d5f2078e97aea14a9c7bb0f5e51cd4659622ee0b5444e459b06a7822199c9596c5dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ecf6.TMP

Filesize
372B

MD5
094a0b2d8ed0dd4cf320e313ce3d97aa

SHA1
d36d595b646b4928bb2c96e7520e6f73c66d2041

SHA256
58657da113c48a696d55393db655aa9d219469811dd11c4f03ad3172b0176b16

SHA512
06da3249583943bd24b81f3bc012944bb1568c03bfb385d2170ad4d1a6b5f1fd1e5f8f01dd93bd7719d45bd51a3ef65ef4309fbc5f639f2a16511998e6eee0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c2750fb4-9264-4b80-8d22-6d60d4e0ce70.tmp

Filesize
6KB

MD5
740894890595249a7d94cee41faefbcd

SHA1
4784d5520054a115eef815307226ad113114caea

SHA256
5d0b5a82e2c2cff6f880af24889d980173443009439111fb531267c4b7fa2ea6

SHA512
9a9e5cdc258b49ea1ec2ebf127c56b22b1ba12cf365469c3e0bd9087b2887c12bda075633402c0251547525a14a8531acd3891a1f490b50d38731461e76256e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ebd7e7041b54f4670db338d27f2a6b29

SHA1
a8ed7a6c50d490466d587b9e2ade24c8e444d914

SHA256
c3f16e4bfacd585448830a4514b0c32db4d34537b1677014a02a7439b0fcf139

SHA512
8fce98600a175aa15bc24eb8179ab21ad0a325b8c89b0e12c22474f27ca36cce393a5603e3149f0c05409c393fe26c7f54de8c17bde7c0c3cce9eb54e73cee5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d4fdbee3062ccf2638e98ed64147ae34

SHA1
4fdc7da883e694cfd14a892fb4820a869d18823d

SHA256
d9d9e93033b26a311f4b955261be29ca7207f384442009614ffc4718426396e0

SHA512
7d35670a3b4a1a3539fbf67ceff0fc81d3803ff5b62446d86a97b5bfa1e69fa41a2718caeae631065d8ade429d7071f37256ecc432d6a4cbad3f4e98b39c1173

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit