hxxps://www[.]techpowerup[.]com/gpu-specs/geforce-gtx-960[.]c2637

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.techpowerup.com/gpu-specs/geforce-gtx-960.c2637

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-635608581-3370340891-292606865-1000\{008FDE8F-0D10-4E12-A974-63D596031EA8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
828	msedge.exe
828	msedge.exe
1332	msedge.exe
1332	msedge.exe
4856	identity_helper.exe
4856	identity_helper.exe
1876	msedge.exe
1876	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4432	mmc.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4432	mmc.exe
Token: SeIncBasePriorityPrivilege	4432	mmc.exe
Token: 33	4432	mmc.exe
Token: SeIncBasePriorityPrivilege	4432	mmc.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
4432	mmc.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4432	mmc.exe
4432	mmc.exe
4432	mmc.exe
4432	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 312	1332	msedge.exe	83
PID 1332 wrote to memory of 312	1332	msedge.exe	83
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 340	1332	msedge.exe	87
PID 1332 wrote to memory of 828	1332	msedge.exe	86
PID 1332 wrote to memory of 828	1332	msedge.exe	86
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88
PID 1332 wrote to memory of 1492	1332	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.techpowerup.com/gpu-specs/geforce-gtx-960.c2637
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cc6846f8,0x7ff8cc684708,0x7ff8cc684718
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,714757074425958997,15126296786764253439,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2608

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x458
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5a955c2f5d4a72fd03fa868b30347ecb

SHA1
a5639106256495aca98e549c7c1ed461163bf0fa

SHA256
45d585db5837ad6ff9f032160041d77fd23abe59885f0deb509d8bfdbd2b71c9

SHA512
824f8a5eb10ee2d2d5fc5aad963bcae9beac9c070f1d02a9fe3f6bdcb023859fe8b9aa7374f5a9579c8a3ae7d9a77e105094eaa53060df9b9a226c6067526d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
fd140fabd51950e18eae59a7bf58d595

SHA1
2e0426d3b8dc9fd69ff9858a11b84d00d563a912

SHA256
609db3e5eae6d9ac1a7bb69be7d52d91d605c2b3b6c7da2c3dc9910300495ec0

SHA512
ada6b0d49e706126b67c6ab82bd22607594de482a577c209d668604947c261ff0d35a207a60d4f94fb7a39589fe0540be98a2515a78c0c0ce9000834492acde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
e9c7c538fab71609d7c44627b83ac387

SHA1
9d578868484381485a2ddf032ebd7d0519c31a4d

SHA256
35bd448912cc8f5d402e39e4d0cf4198ccc3aa1487886258f9ad3876ba51c682

SHA512
0b822376e7559b8422df4ce802edfc38de18b159d65175fbaf6b8fe7373fbc855bc289b673f4ec885d2b66b3c1cf243e4af0997faa3c5d5c5abefe8a6a8171f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
644f6daa74f201e2f13c65357be30cd4

SHA1
b654a7407859643b753676826ac07c3162371fb7

SHA256
1d0cdc924d47dd416fb810446ae444c6d5314cf15fca6351a66394d5e0ea6b84

SHA512
d133582ba3e78f6df7262a6afa947f69e0f7d86ddcc359adaf8018731b4712154d1811c344f86770ab87ee80256a10588896784f2f9dc1cd9df428229e4bd9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6f963f0f8fb9efd5e297933993c9c4d

SHA1
884b1a1365f06ec400a7a30f78d7dca6a6e6559a

SHA256
c6d30aa61c375df5d3317b1c5ca8cb255cca19b0e01c34394a3c9596c651f78f

SHA512
064b75c021dbfe505c4b6c95669f08506122878810a8485586baf122e10b3e3a51961d418af20d1e5e467de3b4af2c0b25674bbc4cf4b95fb1e006c8c9c49fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2797ff483c2523ccbd219b7e07d1e3b7

SHA1
1941223d12ec67fa49302af056dbff1863fb32f0

SHA256
6d67a4d95badce8fb437f5fd32b068c705f9b51c345169d63268eee3aeae24db

SHA512
401a114e6ca177fe40620a1295bfcc4a6ca08d24c00976eba467aafa40b83ed1b9eb77826e9ffccc4fbaa7eae5b437041b2fe04a8a2d5e0387cfde66ac73dcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf780dfe32a02e0527efb866b9ecddce

SHA1
5a950e6196937d1d6b7528385e4511a0e0b2dc4c

SHA256
673fc1e3a7402bf8e68bd940bde6b0f6d4e836aba24a72d88ff3b8ee601fe5f7

SHA512
e92142b70f8c9ee202fa129ae04493c88d5f1859d175fb3aecebb426b941592b0e9c869fbd46cf4532fbcde9b7142f1a99a8c6fcc7ece71f21554bd534c098b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a3e6ec6bdc5e51344aebe39f9ce9fc6

SHA1
5234fe3a55e439e1d5d1e6b23b76aa322ebbda48

SHA256
28bc4887cf33c607c00aec8bd7aa696b77ff23891eac3982765c1b2137cea6df

SHA512
a3f221f55e129865a11d8f401b9d01ba9d83de59822e72cc91cae4314fd63ed793b0966278ea782ee784ee296d5bc92f0098000c6454d1799483e57b36aec247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e67f689c168a82266e4b7ad2ad6349b2

SHA1
5842fc0765de0ad0737fac7f95ab4a2f3a8a6a24

SHA256
d2d49dc07c3017ff3841644e343d829f5359a0dfbbcbdbbb4d1af4b91f0b75cb

SHA512
2fd4e1a8741711dabee98bbfeaab83e1ba314d55bc0c4f5cef11386f01f90250ff0743dbde0060a02ac148a959ecc5b5e34b951007253fe51502d2752992f790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8b2132caa85a882a9ce0c1b99bb1ba7e

SHA1
fdd4907b6b4bf605f23735c1b4de202a01adcfdb

SHA256
7c6070d72142b64d051aaa652a5e60f5f7072ae9ca33c8e64579074ce46dd221

SHA512
0bd1865fb0bef12768d82c9b35c1b49c88269f77134d30d2e9234edefc0931f117ec5726cafac66771bb382bb868b929e05e57cca4a0205eeba98c6215d1b886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ef5749cf0b286eb431d8d6eae06efd4

SHA1
9e2ed47690bd66e039201083a0c6353d5a654366

SHA256
d6e562847cf2ad01da0981b7c33aad3de2b55273158f14693f8d45fc9980af5c

SHA512
a963418d78ed65feb5d616ffd0d9dcea8a6066ce0cf54f9c9e18ac94c74144c9393f808d0547958cfe186cb204c8ac01cc25a67635eba591ee6500b30ff3c9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4923492ea5cb0a796e5eca4739630071

SHA1
8278b031bc3aeb7b89767341874facac9ee8086b

SHA256
d41f324f77129395bd8f4f6a14a2f7601f431a30ef83d59d12704ff1e81253fa

SHA512
90414d79e399e9259c6bfcb8fcade2a3789446976060ea544c86b89a575cbde582ce303efba31a6409f5776109a79abe6681f3cafe0754ad1045c81337f50233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8aa38f3bff6065a39fcbe24ccd2a8936

SHA1
f9fbd1e89fad3ead75a803ad7b7f006c7259de87

SHA256
f65162865789806dac0db8d9756220f7f11ef6aadd74c3e58632c0e41d820b33

SHA512
3ebb2306737e2a548d082116a1b48e20c54b39bbe312aad741187a3921978553632f5f628fa9d7461149bd82c8766ed0d1c726e0de4d0a2dc2dd1fe451e398ec

Download Submit