hxxp://discord[.]com

Analysis

max time kernel
960s
max time network
1049s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25/04/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	discord.com
9	discord.com
148	discord.com
159	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{C5DE2D8D-8256-4538-8A33-90A16A7B8580}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
904	msedge.exe
904	msedge.exe
4952	msedge.exe
4952	msedge.exe
5072	msedge.exe
5072	msedge.exe
3748	identity_helper.exe
3748	identity_helper.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4280	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3584	904	msedge.exe	79
PID 904 wrote to memory of 3584	904	msedge.exe	79
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 3020	904	msedge.exe	80
PID 904 wrote to memory of 2156	904	msedge.exe	81
PID 904 wrote to memory of 2156	904	msedge.exe	81
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82
PID 904 wrote to memory of 2068	904	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://discord.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0b4b3cb8,0x7ffc0b4b3cc8,0x7ffc0b4b3cd8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15672145381885936286,18359416167391038089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57e5c5a9236321d336e2c8ce1eeff844

SHA1
8fd4288af72ba3f7a0ecc5583a9265723fefc096

SHA256
ae6496cf397848bf3139858deaf567e3df991bab5a7704a0fa7aae95474872d7

SHA512
bc3f24afe6ce0494022d8201a01a60239ac5cfee54e0650a337036817056424b418cb636d58d07e5034dffe2226906202b56509e4cc07562c0b60f618c420080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
493e7e14aceba0ff1c0720920cccc4a2

SHA1
468f39cefbcf14a04388b72d4f02552649bf3101

SHA256
a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842

SHA512
e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
29KB

MD5
07bd004322d7b2832709191bddd0567a

SHA1
9149ed0c2466995a3b6dd5182865a78fd76ec0ea

SHA256
6160a9f25b0dba39f0325b3268e0c00e2c374fd278fd1e90edc2fa87271b55bd

SHA512
28de08cc0284652a62600ea99583a758e83b8c79e10982a8fb11058bb5bfeac5570ecc51b4c58589e8f1b821645839ea5639dbdea2071bd1af9d0d4145e2d944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
93KB

MD5
a8cd5b56384a0a6c56270aac751c5f40

SHA1
bef1714218e3eece8e04b23e448d7ffbc37b35a6

SHA256
1fd3c63746c6637930c70d45cbf8bef5ae20a80247dcaeacbd64d12bb381bc13

SHA512
09b2d6216e2a9aee87543bbe21b95a818a48f9c40e1495a35dc1aaa171b260f77e2d34813ee9fa22099cedb009fd83bc77bee81b298615b18354e7cbaf25b245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
68804ae80d631b5c21b401f1f643b8c3

SHA1
ab96d3f8a8152ca4acc758018a6311b4f972f519

SHA256
2ae82d10dd3160212d9a288dcdfc5cf8acc25e1cb62caa07a28ff2f1bf933aa3

SHA512
d8de7eeddbdccbed2940349c61ada28fa0292b07870c963ee9687b93845df8c0a026c5702d19987f0b6a84babf3e2a5d67a6c7ed6b433f85c4afb90df3619d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f8e1a6ee6526d2761ad641074bd76204

SHA1
285795fa3e1863056c0c266e77b645d3217690e2

SHA256
2b7e514c89354da5c94b32c606dc33d277377d81ee620573dca1841f8a395197

SHA512
39ad8ce50a9e66b035daa9fdc86c539a97f0d24f813c2a831d5d143b6d62953d6ae7e571782b681d6739a4fa7c6cfd188a96fda255f9240387a3d9c0e597a49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
919cc6238830839d74b6dba46f6a8eef

SHA1
19bc3443dd86dade9a76d21d5ba2876fd4fb8b05

SHA256
95c6a21904ae1787097c1013bc3dab4200357334c28615573d79da7584f94b0e

SHA512
1eea44ea154e7c1d3b8225c7b9a39c068b78e3dc031ba7a7605925e9eb18017f02e1decf1699bb9414b149886222b8871bdbbebfe64f4771b67a2d6b7e0281d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
920afd9507844a2a5862142924b07c2c

SHA1
274d1cf68ba2b58694a3600a0defeb5d9cc96525

SHA256
4c55f2d858286e036236538233658759681af1359b4ba79afd09456f08a40bcf

SHA512
532d7dd8beb9ec92c131f720d2d8dc3ef961fee7fff1c739c80c54d70149a182071a04ed08b191931c8b0ab2713159003684184339cc6d20338506eb0452aae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
741d17e672fc526d537df55236a286e8

SHA1
62bb8e4cad05cda2b3083a5f9667b2250899a072

SHA256
4e6af514ba0669cefff710cdf853b28de4e3b15384faf857aed4df1b8184e095

SHA512
d1200fe46bec67d5ec75ac4de3d11904a976f0e28bd133d3424a9aa5fb643a10872ba6f68dab124a79eae77367651867d43b5ca110f1e4ea8074b1d8aa19369d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3cb294ae9f94c866d1e05519c878ba1d

SHA1
8fd18d3e3f443cd8e93b4d4d0b6df02352faf9a1

SHA256
8e63c1c227c80e4f3ef5a718e34766e775f4dc460a437aaf1d50a515e3de8d1c

SHA512
bbcc486349db51f8a2d59bc5f007b916d3bd4a96399e9850a438c93b9af680ae67747de7c5f768d6c15b0b08569feb3961961486e3f302e9d8177e6817885cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b903c1a2c15c2d79f1d274114d93ce99

SHA1
426d18eb1c753974257dff419a8a4d4040b50c39

SHA256
7d1578a3f0cb93e8952ef7653fa69adfbe8426d501c3c708efed59ef2b7fe151

SHA512
eae3c0ebddd2fd2c6d7664b293b5cf0dccbb7e54c426dbb0d32679f9a5371c40da4d2c588a04da0b9eaa42b2a1d045cd92157943251902dbd50bae81d56053ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ae7f962b37dd0d22ef1afde291998ce

SHA1
e68a0fbb4c17b9aecacb6cef81c5d92d14cf5d67

SHA256
af969ae5eeec64c85682f0c6c0328889bb628a462d4fb92b794eb7db8ab34d83

SHA512
58c7bcf4b1268ca0ed0d533268a90ce75a060b902350a9057547540c6717ff225cd76c05306693b2186f5a658f6b08ef886e04bc2a208d3683bed05248c10325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5317d1227b0f9683f40f08ba5f60c04

SHA1
ea252ab7268287022566ea722968ed8756f4a424

SHA256
b03efbbda264af81746128dea283d9ca98b705594576579b6e4ee094e00d06b6

SHA512
68b2c0c2d7c7a710bc0abd9947bfd08f934a3a68cc0d6bc7069da7358e263366ca9607bf584b4b42ff592ebc4dc5e921266dbef0b871ee2af9d37625aa2d4fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0e6b884f4877837e3f0db594fa8e3bd

SHA1
1ccc703a5683e713d62b10ba3531f529743d5b35

SHA256
64719d4a69e7e94ae03d2bb0e3b4d733608b013908f2046ec258b32e9acc5058

SHA512
6c3a934940eba0be46ab9c634054dc51b37564f77458d1f556167f5f4fbd3286534d5c00be68725b69ea21008a5a458e70779c0db56f31ec4b52a386eacc16cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43509f3c0a8df98ac1ba34a911b3c90a

SHA1
2549e231b2648f529c2c5583863a2884d90ba7e0

SHA256
ee7d68460d881a190018ee91105ac67d361e7c20f78edd15ccde1f5295919139

SHA512
d42b82da9584656a7387aa080e27f08a9fcf201e000bc259b50b99a4b2ecdc2e31cf3f90ba0fd27507f54c8a645d510ca9191c987bd5b819bc7b23ba80cbeb2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bb282823d27311262f3b23b4ee5bb0eb

SHA1
a61a689a3c709047e980875c109c0b2403fde233

SHA256
6ff40245013855ef54122d039ecf023a48200e8db9b42515e4b824bc182173a8

SHA512
3710e5d8d4acc23ef7816166d80549d9ed266dcb2fbb146013e3d0841719c2b3189cee72fece3f303cb7cd99ea93f15051b440a943a9b96e78bbc994be98a445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8b6deb44dc2c5ddf8e4e8832b39469d

SHA1
1ff42dc54af012d87201c753b4862309c401a699

SHA256
39d55c1704d344148f0c9fcae3592772c84aa164780ff405d6a368534ae6b833

SHA512
e54937fe806b8b8b2d92ee04918774d846d30355efc166aee455648cc6193a2333c9ca61ac43b7a1a8e091308feb1df409c4fba09fc70eb02ddaf7345b83cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98512b6de1983d15d07f15904cbf534a

SHA1
3618ff158a667fef704d316dcc2ed9f08a618222

SHA256
9a65d4b49683043f687d3180b101e61b7575a623aa5d66b484d2643c53610cda

SHA512
0f65b26c1688c7f1f6e1b42b5e23df90b36d935a7951224d4b73fd77a768a536d6c3f1dd6ff78061344560be55d85b3813c4b1c7f40b2fceaea0152e424c016c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4368ce71f70e1448b16481bda22d898f

SHA1
7893c3421be1744dcf476cd4517a0a4d1f3a8a75

SHA256
ae42014971de067c5265d54a1e9128064d1e131c2e775757511f7f88bf47d25e

SHA512
33fad7b6c9e0075930d4423f28805ab5db5d9ab88149b22349d27892a0abc039c51daddc32787f0fb3489b71b8f4da2d2c80d0c7536da1a9881597e46fe59547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e1dccc00f15404f42c7f693245be2a8

SHA1
c56e99f1c71b70e2dbb0fba80c14971320137100

SHA256
5d9773115a47968cd624f013faf036062466b0ce4aaa1122d45e4d38240a7c95

SHA512
62a20742121c496e2fc75b7970b5c2bab25b908eefbdd5e1fe1d1fbc94bfe9fa8750f7a3d9ea309d917d1dc1c0e511b693af818546e6438f092017e6685fa341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
621a7fdff70e50e8cf2d40178ed613b9

SHA1
57545c998ed985ba7b968c54925431de549d99a2

SHA256
2738323804de77dd1dda5d3138b310311297fdf601926f80fabd40325f1d87ce

SHA512
363e7ea571373d3e9a6d9752b7d54d029b683d6623e6ca1905c8b0f96af964939fa44db8f2880f1a5241748e22701d52a9ee03093737a138bf764a7d3735172e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
116141a2202ed7518c0eb1917938bcf1

SHA1
7d05169a070eed5d34d35def3bb4b9a86b3fa83c

SHA256
24f2d8f1dcb3329d54c2e2c5b65e11a62948f657234b543bd2df979c794ee612

SHA512
bd312d0db6a685e1d7f63462ac294444d74b865378a50074b41870a8c8520cae52a5eb77c7965dd1a210f089a113e910c5e07526828fad5283444be103e8a73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
703a5dcbb6dcd457e8ead9357a6faa44

SHA1
d5984f7a1addab5a7e044604c1037d2fd3430744

SHA256
ba53b0c2193532039e2895fe29b05ad8af3a4ceb8564d6b51f75d6e3be9c0f48

SHA512
6988aee58e8627816d34ad27a619db6f432b5d8b107bdd3d76ec48eb27a6aa9ed502d145e77453ad1aec378e8c167785c5370856a3c853b913130dec6d517a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6321633160bbe272438cd063949189f2

SHA1
a70f20b3333441a46aa1d3ba2a141e21cfb37dc5

SHA256
d00fdb2e89d647140628385f31867d883344d2407427f7de4ea81d4977ab7487

SHA512
cb016f7606ea20421284e83fb1fd636cfb941e2d5a701deda4f735d9bdf90794137fec29cf5b890e89ffd476331a67a0dcf3a189c9231e53ed71fc5715c81d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00b939d59189d13b8a196166d4d20616

SHA1
e3e84ffa6309b707252e44bf0d060b375f01ca2c

SHA256
6e85a9a573aabcf2338acdeaec4166497a3e198070bf0857ec6607c0f894c45e

SHA512
31ba7ee2030c73862b6206a9fea68c669a374569d493e3c44d8179da384268069839f6fca1bb5e7295cf59feaf2cbfdb2fc7c7040912a9b725262b3df9b9afa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51810898c653b57add88967f6246a9f0

SHA1
658428704479ef9b40499794a1e2acf8dc6b5916

SHA256
2836885848221e6189d7faaa792cc7fd403b2c8bd3a333599f69e4e1a15d3bfb

SHA512
7ad3af306cb654af1c31c83dd8fd21b0620e91f1a722fa42d5fb15b064ff641e3c41a13e86c64b3021924e48fc7748eff576a23cb6330668d68d141b63f79e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86339e163b95a561b55b8c9832a4f3df

SHA1
0fd75a574b6b0a54329146ae7ea04c32492890b3

SHA256
ce3bb0d053e14b3a0d403247e963b4813af2a10a51ca2e136f31abc61a711cd9

SHA512
50a5b2fa0e01de0a9b1bb62c1f0f166e25a2167a8a3c560e64700b681d308a0bd8bff2ec185f882ddf23b19321d5d42164dbaf224a39fc9e8987cc8906e1860b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2a40de807d45a03e08325c4c4580b7f

SHA1
d4399ad8e35961638da0d837393ba283481b3077

SHA256
1a2f514ea6340b215df0ad57187a1410fca5381dba6c01557a36617beb8c1fa2

SHA512
8cfff5a54abc83111ede7b2729d73a6c244e9b8e495b375a981ed17fb688c80401068f99a1a815067f9f60da4e8bd8557cee13dd2ac08eb5c21ad3784e09e13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
901402d0afd5de692e641ae5996c960d

SHA1
42a582afce58ff1723afbee5f5fe23569774a1c3

SHA256
031de6ad5b9f98600a478d71d96ac021c9962db6bcefce33678d9de0b0b2cc8b

SHA512
005b2fb7fa70ac4a60fe8c233bf14762ef24929b91279e8587ad4334d51970e87621047b9e4f4969de8b8ea3df4cab2bdab866359b8a422e92491e86f90cfc4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a6adc8781cd0130bae366584217293b

SHA1
1b559f5fbbc21c136e38fe03345aceeec88f548b

SHA256
6ef97440e2405242452ed60ca9a0780b503a63842cb8bca9e0006e67bae50607

SHA512
834ce422551e5b14e2a5e7df2a949fa59989ab9f93273cae95448c185ae5051cd7c9b3628e817a5587cbd33d64376424dc35e3008edb7ad89280611415bf66a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579af8.TMP

Filesize
1KB

MD5
219b2e64e150f0ff769ac1ece0f80006

SHA1
bc9c2ca153a0348879027bad10f51cab616ea442

SHA256
ccfcd4a8335f357a47ed8933b57ac0dd7807cc7f41515d5547e38d8f62dbea77

SHA512
8e58beddc50431647184f7a4df8c8652b06a84cf2cebda1bc29706c7e8f6e241734cdadb348ce0ad6afddee6711acb7b3c09b2598f5695cd50b0d3ec3c99ddb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46ab81c915386172eba58db34f411452

SHA1
06bcec78895763eb84714bd6febd26f07f10b806

SHA256
0e28af49c4fb886b7b681ed015ce279277fbc2955b2bcb8f1b5b2816581076ae

SHA512
a123d8bc0099cf22bf8de1acda1fa6f3c7976030b2496b7170547361092cf9611d58ca91316fb3daa2282d7a8c2a7754a1eaaba537697e82ea145b6a6529dbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
39024d773bb4d804099ee76224b26581

SHA1
6d2b34f25ccad111c5ba11ad16158a137621117a

SHA256
a0277ee28e4bd88d72ced75daada85ee3769533fb402204a8d87cb63fe786041

SHA512
6c08c626e8b372047982290d78aa150a1a27c7a15c2782654e3f440d038b10db3339a1721cfb0ee3f910ae3734e9b2773074bfed0b8427c68c09288a0217bf7a

Download Submit