hxxps://intakeq[.]com/export/consent/66759da5b825bf5fcd44c7ca

Analysis

max time kernel
184s
max time network
186s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://intakeq.com/export/consent/66759da5b825bf5fcd44c7ca

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

3740 msedge.exe
3740 msedge.exe
2612 msedge.exe
2612 msedge.exe
1064 msedge.exe
1064 msedge.exe
4888 identity_helper.exe
4888 identity_helper.exe

pid	process
3740	msedge.exe
3740	msedge.exe
2612	msedge.exe
2612	msedge.exe
1064	msedge.exe
1064	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1592 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1592 AUDIODG.EXE

description	pid	process
Token: 33	1592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1592	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe
2612 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2612 wrote to memory of 4188	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 4188	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 1340	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3740	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3740	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe
PID 2612 wrote to memory of 3360	2612	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://intakeq.com/export/consent/66759da5b825bf5fcd44c7ca
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95a933cb8,0x7ff95a933cc8,0x7ff95a933cd8
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4640 /prefetch:6
2⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
2⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7144 /prefetch:8
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
2⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
2⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
2⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
2⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
2⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6192259875259313969,14475786765171683001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5700 /prefetch:2
2⤵
PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
19KB

MD5
02363e4c20be02f305298c569681427c

SHA1
eeef3294f36805907ec217be82022a71350aa7f5

SHA256
de0591b9220b931a57f173ce64d7e14f041b979ca5bec6127b4bcec7c373ad1c

SHA512
7ad5ab34536709f0aa0c7fedabf6432a6eb2f5d201bc71aa34e236e230d9fdf7c01eae3a1800de9f9af01521b881478f259be1574755c4fc17b8090e237be9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
595703c46b54b841daf0ce8df305b2f0

SHA1
95624d217523c4aab0cbdfd1301bbe33e6172ec3

SHA256
f1fc266d715136ade2fe7e4a6bc1e5603a92587b2f4c37c027d7b2b5aab63908

SHA512
752031417ef3fcbd19f3718d2c9409a14baf45e9bbab3d22c7cde78a7b3ffbc78a9838b01298c73bc704f5cac86c70611f37d4f767e43e8f2fa066d04a062c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
78fd67c40a9f5892c62b93c187001c0a

SHA1
91e5d7c46156a787bdb4786ffba5da0f64cb379e

SHA256
c1b5c4888d26baf87e4cccee6cba8f90ac2f0ff4b1c057dd0d79b57fdb18d7af

SHA512
1d7fab3f28534d66a6d50febaec4ea518162dd898edf82343bae804dccd2552720505e010e17fec16bef0c3e47fb0dfb94b945f98062b72eeb6b9035ee11b61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
426B

MD5
f0e7effd094e7615c6618516ae68b357

SHA1
d7af53415ec0fe568943cec1a4e29fbfb1d50b3a

SHA256
70126b61df2c0ce680441b380371f1df4fa64c189b806befc7bb4345a94c5e2b

SHA512
b98c5f1f085bbe1224edc355d8a32a9d914e05e8dd5a6ceeb3760b626f2a0e38e6b538ba1fc139405a7c0f5c8750614088205389c890794c7b3f8852606442f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
496B

MD5
29db54c42e6ebea346598deb2d71e85b

SHA1
0a84142b886e25cfde40ae73e36c57253133e322

SHA256
8403a9eab30bc63d715de531dd5e6ce022b1713d337c6c4b209637a4e1ef7e01

SHA512
4682aa61e646ffb8f1c6fb8b3f624bd3713776208fb67c872a65cc7da4434a73cd0a3c8c698972871313ac9909642ccaa35aa1ceddb883794e201449d3e8b827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
426B

MD5
916fb3226fb287c0d8e63acc39b376cb

SHA1
f2b161162e39a8b28238f0416e55dacb44cee250

SHA256
6f313b438d0f1c96a14e1dc9003be49330cf45718aa73b30662ed5ce262fd824

SHA512
90a6eb0a19c21a3efed912f88278ce72fe2373f051fb56bcf7ecc5a862569f7a0b975e8b6650acb12ef6f973feb8f971eb50460ce1e0df7a27fbefa9877fb62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3eda82dfc88317daed1260f11a1067ff

SHA1
da3942c44f56235f4cb1f9ff0a070e0cfd5a5e71

SHA256
a521c48fdb14efcdafe1f709dcab6ae686abdd1a1f76e7c21c7392aa9ff754f3

SHA512
7086260175791e6f6779bc141dfe3e9870d799ccf27a709066b6ef2e3eca2fc604308113f9d59e392b2559426c50c637af1583461712c1c7a14e90ba14da9670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
981d01307a3ef4f82555e9c7a30fb8b2

SHA1
736d73a05f484178c259201d8426d706b0fc44b5

SHA256
f738af9e9c4f9963ce8df7b4d57111283b6b6fc607bbf5e109fcb181f4a3e2a2

SHA512
66d61b3d1bb873b39f5f0f158eeddc5ca6f3b1e6c923333e862a0aff81d753d8401bb3154d47d91414580afbba55ac70715a14ca7a8d7be76e615c1f03cce132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
8d281f4a9c6ce87f79e1032b4f66d275

SHA1
042c7fde79bd0a1be1c9b27e37215bee0f5e243b

SHA256
bcc15ff83fa09e6c2857d3d23f1799645534f4f0b5462e1f235e389719566a55

SHA512
a329ee6e465bdc90b3540b3e4bcad5f3aaa90dd733f8d1a2dd9dd522a9655b58ec95e0e5aa6c4157752627c1fde43006aad8627d700070f574e1d00bd6eb3e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
dc45b4ef7510782134d6b3c156548285

SHA1
fc42125a70ceef4aeeaa95d133b0c9325afcead0

SHA256
919d600104b6868447f798912f49cde6a9f76692eea1580b3d226682a673668a

SHA512
38b07ea15baf74c8a5d70aac7c070e318a832feaf84fca7ca5f958f1fadf227f1952e7902bec9a6e8d5acb87adb009704b4dd448181dc170e1a283e9a16cef66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
ca9e808bd30a1477c3f161f86eb587e1

SHA1
2ce802ac0f05c1cf3544b0de23d27d368d1c4d13

SHA256
14bb5d1cb0286a63672595959d168ab672648a4a4bb5fedb6161ee5af499cec0

SHA512
f9d64fbe3822c5215e63db546cd34999d238cf94f3827d43779e0cf0b9b441b07e9eaf0f621fd5f5c0f7c9159a93e3dcf390c0f880695cc1f0f5517b9e4e23f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f66fc29a932ee4faa2b62819d6083cb8

SHA1
54c90fb9dab54a81e70413f3a7764925843be7b7

SHA256
432236793bb7858f676fd83d19d2607b9a82d6296c149e7f76b9e42dd4485671

SHA512
05dd55a82ece941a7a89867b894d0ee785cb7ae5e974c2f9c327995505de9ae54494089c37743a2cf7504c6c7459ed5143fa719e5b2e7f79cd1e075afbf2d441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
5798c15a23aa98c71da8c19c2d04d44a

SHA1
5f90975351b3e0c54abbf0abc578ea26ef7217ca

SHA256
7d9ebb9469c317edd2f98293bae78ec3462343cbb951b234f102c3aa1afa2db4

SHA512
155520781c728dfecfcbc3fd7ee4c052b40b25f4435f5b9e7d3958eb95198b7023417c7fc76291e175c4c0ac94f33281184e30debc1f59d80fef03f977b31f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cd28a6461281312455f154e431325e22

SHA1
4b8a637897ac6ac92ca10a69c1ceaa89dc8301be

SHA256
5ce442bac0484beecb342b128d6c43a119f38fb7bf7c20b34bd1af1d92360480

SHA512
3356b5bab391f9bc7f626ca251902ecd583de25258c166e2ec7f21986c2536fd771db8f7426eaba0ed801f82e98ccfa7cf0aef2b1283d80bab75c9d760bf2f38

Download Submit
\??\pipe\LOCAL\crashpad_2612_TAWMBJVAWYGARIDG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit