a96e25e828ff6762d3e630a863e27ff54e53d8c5de90b7ea60f4d30facbc559d

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ContentWarning_Fix_Repair_Steam_V4_Generic/OnlineFix.url
Size

46B
MD5

59bf167dc52a52f6e45f418f8c73ffa1
SHA1

fa006950a6a971e89d4a1c23070d458a30463999
SHA256

3cb526cccccc54af4c006fff00d1f48f830d08cdd4a2f21213856065666ef38e
SHA512

00005820f0418d4a3b802de4a7055475c88d79c2ee3ebfa580b7ae66a12c6966e5b092a02dc0f40db0fd3b821ea28d4aec14d7d404ead4ea88dc54a1815ffe26

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
32	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3244	msedge.exe
3244	msedge.exe
3164	msedge.exe
3164	msedge.exe
2120	identity_helper.exe
2120	identity_helper.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3164	400	rundll32.exe	82
PID 400 wrote to memory of 3164	400	rundll32.exe	82
PID 3164 wrote to memory of 4848	3164	msedge.exe	84
PID 3164 wrote to memory of 4848	3164	msedge.exe	84
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 1108	3164	msedge.exe	86
PID 3164 wrote to memory of 3244	3164	msedge.exe	87
PID 3164 wrote to memory of 3244	3164	msedge.exe	87
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88
PID 3164 wrote to memory of 4596	3164	msedge.exe	88

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ContentWarning_Fix_Repair_Steam_V4_Generic\OnlineFix.url
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://online-fix.me/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9872f46f8,0x7ff9872f4708,0x7ff9872f4718
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:1756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    PID:1792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
    3⤵
    PID:2080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
    3⤵
    PID:544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
    3⤵
    PID:4116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
    3⤵
    PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7728 /prefetch:8
    3⤵
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7728 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
    3⤵
    PID:1304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:1
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2699545653972433226,11221126535573133069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8420 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x294
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008c

Filesize
243KB

MD5
930b5b08297c63eaaf8e90c77ed8af3c

SHA1
58cf1869e79f3630701e6d844eb39a5f057bbe2d

SHA256
95c957668d3149a2e067d1a293f07c1dea10c7bc54ac86da7f2bddd53c211243

SHA512
77f1fab10725a809f4d00bc94d5178d7c2b1ee48edb252d4f88dc50d76285c1d1380010cae949b9b2ce42ab0dba26eee17e59d575190427bd368ab7635662206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009a

Filesize
182KB

MD5
1ddc733de0574878ec943999e332cf87

SHA1
8e19194bf720a6988a3679caa043a911eb73d7d0

SHA256
2f543422fd507f434eaa826e807b167b97cf03afd0e0775fd77b5c47ee5e6fdd

SHA512
db6dafd2e2c046c90a1be7d15adaf6207a70b7e9a8063d69cfc3a3181b0ab7a20fce215dc74519eaeacb8ed1d213c97f41abddc8cb0d14bf48fee6be202a7309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\429ea9adfcf41ecd_0

Filesize
38KB

MD5
762612604b4a5bce46d423178ea6b0fb

SHA1
409cd1fdb079c7a43f89aee429894d631e626dc3

SHA256
d86df9e0d6ac2a40e8c70a9bcb89a8da1a127ef1eb2401e2ee7b7ce9f8d35ac1

SHA512
922a5fcef98fc13be30592b39071577ba97e85556e0be5c3d836e10bf29ab7dc1cfb9b895156a9c8d98ef7b1a6729b5d99aa19f1d9cf2281670f174f44dacdc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\429ea9adfcf41ecd_0

Filesize
38KB

MD5
0517aaaaccbb6c2a3299909a64af7523

SHA1
da8998d22b311c057de5003ea3dfb03745e5c042

SHA256
2598c0e2fff2db5657a9b1da1641456ad34fb173809ace1189bade8571bec7ce

SHA512
0a830389a84a0261838571600c8a46d06c3000cfcb97a88e89a2380f9b2e08155388c4b1bc583f3d07efccfd20d89fbc7107897fc9834d572d4fd2045ffacb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bd4d6a7090f86cce49d40411a5a3ce22

SHA1
8c0bc969083dbd2cc8a2802f5a41b09633c5a901

SHA256
1eb0d46fc0908532abd4e90bcef3f40c2f8ebb0921bd3b47414f8dcf493521ec

SHA512
2c757c74f98642f3d5d8c21dabe4c0b007abfd91464ba1d4672e88f994482885f4ce029a8110a7abff179f4ad8856038aaa4b58557a1222955fda57e6ede0d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
384ff8003aa5f61c25fd33994efe7b16

SHA1
546c2d9f00c6f544d3d408977dd9dcff15daf051

SHA256
adc4ceb0fa4da33dcfcb356310db9550e330aa44944eb2e4c38660299628665f

SHA512
e60b09727ccbfa712e6bf364ef33ca056850f0edb8254ab81c0c62a4a3b28bb2d75ef584e1d2f845687baa1f068b98f3db5e462fb2405f5990f954e923498e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
fd94cf8110354ae036ef516e5fffbb29

SHA1
c6a4a5a9a337ab513713b7b7c46ae3b50d1273a3

SHA256
8927874835bc22d039f32cf26ca3ed2731093121e1720ab447ca4931be3864a8

SHA512
c5f98e4105c7919831635999ccf2d94a2ed2c474f9801055c8b821d0335a5b056a0229c645cf6d286e3c60cacceb9945a0b7bd41c0898636cc9e308802df186d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
63b9ca4dfa53d5e86cafc60a9e77371f

SHA1
74e4d465df214d321cc56ec0dce6cc9fea35a3e3

SHA256
8669c16a8580a1f0261f75c90fae24862e11ff0c73587d31dc5dfe9db95fa5c6

SHA512
847bd59417336cd8f1045d10a6c10a986396a802454c3f9856821ab55b1ade872839da1ec46d01057b6f97c78c4c1d1ef0dda3729c1d28cb66fc3cbd597fe08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f38a485a91d8645fdaaf5aaa93dbd99

SHA1
530f4d447e9e1493cec6485cd4badb2cacbeaaf8

SHA256
cc88b8bc659ed21684726eb25d259f1bb8acca6d9517c4a1476298f64569e82d

SHA512
4034e78302f03f4dfb05c7a90c7b1c6782afa5b729f2fe1d6fa1aa19f8dbdc2a24e1d8170e32c811b9ef921bcf792c7ad059026f51b3a9a1caf301ee7598978b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
629bbe18f75180dbf4c58d997b4dbc86

SHA1
0252dfcc23d2ccd1ed40aa2b70010bdbdbb3f578

SHA256
393805e69cf408c2248f0659e1a2493e5d8c36366b539b3850f8ce05c505d4f0

SHA512
0068b9b01d6217cafb2601391cee62a3b9baac757cee3cf124884e982f9eaf90a3c753dfdf86b8362c6c13255fa3e7c855f76bb9713f1e364c2a4c24b3769b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
da5ac501669822638252ba087232db08

SHA1
34b5f13d05bd391613e211324aa17d3fb9192592

SHA256
6725c3e478fbbacd086da9a28241cbb7033a1a2b46c5401774b9d63ac1609617

SHA512
b4ffa3bddb2bd2199356400901c9900970dbd88c8b1d564817dcc29780dcedea1e03e61c05e8eae89913dda4f1345871cd61d9db1a5d6593ed2dd41bd45ee04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e944e06ed53dba3df122493a113effa2

SHA1
a8d21118a21d03cf27c6fe1dd1d8cf12536539d2

SHA256
4a1ae7dc69d0cf67d6629bfd8e8cb3fa77307264c39b7dd8e2511c93c40951a7

SHA512
c6c4ee5a8905e1a5560ce6e73a16a8be058cb263471ac017ec53579d5a534780cd1c11259b582a2072701000f234a934b113c8e1497dff25d652dc6faed86c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5721c0e6a0bb62c1bd5c47deccf595eb

SHA1
a3dc4c7e2adea31918e6dd24f41681ac79d83f12

SHA256
8419fed9300cda95fcf41e8469ab2e2c37b9d0863197f6c441a2c0a96562de86

SHA512
7fda35777b0ba69e01603c3fdcc53ca27154b0745dc875da0f59269f77354255a82a5a78fba39c8eac4b24bda90b4f90d0d234f17d6cd1a7854288bb40426c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6e4d54a04a94009a1209d4794a44d8ec

SHA1
72056cec3fcca52a2460a5f7db57cb14adf2b116

SHA256
b99c836f45278e190632f854e805c1778c6b53c989fcf6b6fddf0522b6db0eb2

SHA512
3112771b7ff73226b8b247738afc9919d162ba341ab2b35de75defadf3225b43d91e869e1fd30981fcf49cf91dbf2dea6595cda13a818deb4bcf99d845ae6a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
339c9d966f9cfd0fefb9ccc89b2209d8

SHA1
52cca597a21622b5616b0a32f340fdf3fbfac23c

SHA256
fb5fe360d55eecbcb8a60d7672e74ba58acadde5d899f715c453bb3c278de296

SHA512
ed0e82af3d6daab6af9d3758c1329ffd562a62fd6f8c2056fbba475baa2a673d9a65e3dc1bc9f2891f506423840f8fc3d6c732e21cd4aed19124d27ab5dcf926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7bf9bee1cb775303333350519fd07d74

SHA1
848eed78fcaf7590c030a1222d69a83294553bff

SHA256
fac8f31fc58bb9413a70f15351eb3a59ed91fb02b8f9890170ee193d01f38a88

SHA512
dfa25f1e97939b41e47e73697b0a0cb055f25b378e429cb6f18558e13e46858b088a6607577c067def4a51b2f2850ad4b8283cebc2b92416625ad381af9e4e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b7354b3176b42bc65516f1f751e59b38

SHA1
74ced76490af72ae9c9936785d681b497a3bc11f

SHA256
5002d38deb6d2f9ad73539132b63b5056b8ca407b0555751fdf59baaede43a40

SHA512
84025e88a18d4902b610d6afaba4565b2d23134a0054c1462ca2a99cc43a494359737a020f2ca86de0cd6b16e84c27e5f37a1ed731c46c3c2428acaec4b7a664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
88ec48920f5719d1a549be44bc1ac43d

SHA1
65df1714e71ffea11cd5b95429be9c8474fe6f59

SHA256
6c3c8639f018d246b81a0f574dd773a2945710615ec5cc55c2d9cff5e7a0edd3

SHA512
4343c21a0a71767b1acb174c7d39a6be90919f8e5e8327a4a7d2bf5a58278791a86057fc87f0abe4ed7c7cdcc32429d4e18d9ba067bb1893f41429c27804b7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578964.TMP

Filesize
1KB

MD5
5abee631b5087f079205029dd237adad

SHA1
9b3565a2e3708cd98d0720515d443e5795992605

SHA256
f65a6d11196d0baf3e6fc96d62a54029e93718382a35af179ddcc18f668b1c6d

SHA512
9785188855d9c30930dca71d98ac2e2842b1a3deafe40a1a0716f9f08af59a5fd1cadc924683274eda86a43de0012f8b33075e520549d3df24c07fdbe5f91d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8911f89eb33f1b08b07acd018126f3fa

SHA1
12937166f371b237e7ec639f104a6e637031cf7b

SHA256
de0de8ec2af075d97c1e21eed5aaa5d87597bcd0477e28bbde0bd52ae1831a2f

SHA512
29d9bcb64142ccbe0c8b1098fac57d20254c26a01075e7deb0d3d67809abb353e96666eb2a19aca4f79f4ea432b684e42fcbb9386e8d8e06508e56507762ab79

Download Submit