1c5cd32a192d6dce5634adcf261f21231e8b6ab85fc4bcb9797e1b13056a1f34

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oyunindir.vip crysis.torrent
Size

15KB
MD5

004b16caf233eded177bc452de113d65
SHA1

baedf69b15ac5375f0da212585a8150f5130bed1
SHA256

1c5cd32a192d6dce5634adcf261f21231e8b6ab85fc4bcb9797e1b13056a1f34
SHA512

630befc87149bb2e111cd95aa6ac3a85db792b41fde5ef3b8d8619e56e751da0b7934b77376da7a33eb79edf8ab252bd41b6bf370bd7cd4ce063ef5b1cb4fefa
SSDEEP

384:k04h1BzKeZ3vIps4qtqCDjR4MpLWDxCFuMiKpcKNxSqiJaJHSWrF1slwDrOkYa+l:6U1r7xHOC8T5hEnfTZEYrZX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
3048	msedge.exe
3048	msedge.exe
2508	identity_helper.exe
2508	identity_helper.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5632	taskmgr.exe
Token: SeSystemProfilePrivilege	5632	taskmgr.exe
Token: SeCreateGlobalPrivilege	5632	taskmgr.exe
Token: 33	5632	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5632	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe
5632	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3076	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4380	3048	msedge.exe	98
PID 3048 wrote to memory of 4380	3048	msedge.exe	98
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 3408	3048	msedge.exe	99
PID 3048 wrote to memory of 2752	3048	msedge.exe	100
PID 3048 wrote to memory of 2752	3048	msedge.exe	100
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101
PID 3048 wrote to memory of 2692	3048	msedge.exe	101

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\oyunindir.vip crysis.torrent"
1⤵
- Modifies registry class
PID:3132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9580846f8,0x7ff958084708,0x7ff958084718
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17074360614790232586,3908022065887109778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f6d41bf10dc1ec1ca4e14d350bbc0b1

SHA1
7a62b23dc3c19e16930b5108d209c4ec937d7dfb

SHA256
35947f71e9cd4bda79e78d028d025dff5fe99c07ea9c767e487ca45d33a5c770

SHA512
046d6c2193a89f4b1b7f932730a0fc72e9fc95fbdb5514435a3e2a73415a105e4f6fa7d536ae6b24638a6aa97beb5c8777e03f597bb4bc928fa8b364b7192a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4254f7a8438af12de575e00b22651d6c

SHA1
a3c7bde09221129451a7bb42c1707f64b178e573

SHA256
7f55f63c6b77511999eee973415c1f313f81bc0533a36b041820dd4e84f9879b

SHA512
e6a3244139cd6e09cef7dab531bff674847c7ca77218bd1f971aa9bf733a253ac311571b8d6a3fe13e13da4f506fec413f3b345a3429e09d7ceb821a7017ec70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
61KB

MD5
1971e737391eabf87667012e84069a5a

SHA1
8fd29644afc6da70873c25f9bf9d1c495c759843

SHA256
c9aab23276584648e971c3745fca3bed6d9e4c7e373bf3dc7ad316f2aef42fd3

SHA512
23062a1d410b69532d3bf97ec7d1fa3c27e974613326fe3a3d80f909d595bda78f2ba366bcd612e494ecee1af1493264d0044a26fae604466e5437a25da6280b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
41KB

MD5
271aa829d4ee3960b052d1e8e96541ae

SHA1
3c2f47a58201c0dc0104b11da2fead60054eb7d2

SHA256
73b567eccb4e9b2257334d383e9584546f49ac27d893357e2bda2821faa770ac

SHA512
f50b5d261e909e4b3d4cdf99c567843c4b624f0ed9b7dc273167330f84dc544c5ecdf8cc0709db47be7398c70c26deacce5603523e9e6914cd3f66748304723b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
40KB

MD5
8b62ca0df5fb6daf3218fe5fb12519ae

SHA1
ccfbcaa01d4b5d9e9f82d12780cd13f9887dd760

SHA256
5048d62eed533b3c8234140a394c0d5933dbb5a35236c1ba859a1d9f921cc0b3

SHA512
bf6eb73e529b3d81adb89bf743316cbbc853c122b5d432bcc2252dfb0a962d0206acb845a97be2fdd0c67413335eb7c82c8c30dd5d249d9baae6543e1352cee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
60KB

MD5
4baf37ea6c60848f63411c496e1250bb

SHA1
91a56ef9fb2c3ecb89431cab5de972e53ec4470c

SHA256
158b8ebbe8a82347b695743bd07a553bd4b7f7cc5e0909ae93b82ddabfb412bd

SHA512
237a7e4363949aad08cf0728520336ae7fec84e2ab6407d17ed36fa70e2b07853740c812c95ddd9eaa19c76762d47b0f4cc809278bd46ab6bbf2f2fde96ca178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
984f0c18c0db8f25b54dfab7c8c3407d

SHA1
eeda7d72670dab519bc7dd14e0a24c668e91a074

SHA256
42223627ce74c2f6b6459605afe682b04e1240a1f68a420f80fd52c7b4e834f3

SHA512
3e2225f373d6e837dc89033f6f504b8c49d286e09d662aab1b8c67d0660ed1dbcd8949c678de270504252e5f9a6ab91394e10a05659f06083346847d13086ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2b52551f0e9b1aa9e020b07a7d28824a

SHA1
8f4ea293986482dd9149b47e5df8001f5f897a06

SHA256
231245e2484e5788ddf1838d76aa65491967d4e61ebcc7038c02ab65656c8ee1

SHA512
7e0fada817140afa1e9b3ef1d5402e989b78dbd18d0f3d5430da633beb8b0b10d003d1cb61380a59a5e831dfc42d95161c02721982f9c2c88a6c44807efc9e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0277add40c4267183ea63bb552360431

SHA1
431a82a07656b738d0947e2c87c2ad77e4aed002

SHA256
8267056fb7c30522ca61f772348d0a35109647982e1aede8ccdc4d3bcaf60c5e

SHA512
8172360413e51745a32800f00592807e06b297670d33ad0007c0ddfbb101a75c0b77d3bdf468d008f3e4fe1a820ae28c60bdc7d8be9c8c9062186c50ced5cea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3a5005311acd2ff25a452a94678ebb7b

SHA1
3696d97d27e30d325f89423853a5c90fa9232e1d

SHA256
6dae78bf5f4dfe584a167f0120548d5a43838dba78013b17a493e8105558e32b

SHA512
a2f3a58346494b50275eb11f447bc0e34c96227c0e1c894e80c2e082c6996a77fe6ae2dc239ba18485aa69cc67ddf52cbe3d375a5133bfe2bc81ca7916a83779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5e68b52880618de8d9ed3dc2ca77d4d8

SHA1
d66c34a275757a418bdeece294b64723cbccfd2c

SHA256
333bbd9b61c0581c87fb0c811a51a488dfe66d68ca31f48cfd479d0a56ee386b

SHA512
2c9c9257ea791df6d126c4831f2bac486af12e2b3e2696dddff456cb912e142b335b10af7f0358efbb2c8b5b6129e1da926df8058df80a6ac5be7040f455fae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597c3b.TMP

Filesize
2KB

MD5
ca5228d837a03e5ecad1ad916ebc03af

SHA1
8332c73385d106469f40fb41aa85a3144a83f98a

SHA256
104aa5eb2fcda49d812b0d7c082c20e3e111c8ff03da690d1e4ff3ae26de32c2

SHA512
6652507abaae746e1579439e2277ab657bae6641dd45ce461d38b6aff465adfb868f7a27faae45a53a15f6058f6ebdc87610d5edd7598f9522200089c3dc3dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a89702010e5f9daddbed145e005cedcc

SHA1
9d42efbeffee1fe644ac6a40f22a4e9d1b577b9c

SHA256
c7d54792cff6875791e1a19c87429da6d6d2f2c7d9dcc8f65d83de3ae2e5712e

SHA512
256dd60747b8546926d2084cb68dbb865c19b2d4b4297d0894fadc802364d6ac9a41842736b7d8252a67082d140bb380f454a80a787e00402934207fab8ef9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90c6d2a5bc205b01b465fe166b0b745d

SHA1
e5f899fdce35aa857d8b39a2ace27f6243162a9d

SHA256
2db1f173757572578a51e251a817d92268e2c94c9e93bd72a2f8f04f25820bdf

SHA512
ec6ad1604b613bdaf4995eda15c1afc5d7ffd88f57659093de0169da1b6b913f335b2e67087f5f2cd570f90b48ac84c28c83c4bd76567ca9706025a1e2a5fd39

Download Submit
memory/5632-325-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-321-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-322-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-326-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-328-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-329-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-320-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-304-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-313-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download
memory/5632-299-0x000002D8D3750000-0x000002D8D3751000-memory.dmp

Filesize
4KB

Download