hxxps://gamejolt[.]com/games/SuperMarioMakerForPC/388294

Analysis

max time kernel
137s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gamejolt.com/games/SuperMarioMakerForPC/388294

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 140199.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
3400	msedge.exe
3400	msedge.exe
1444	identity_helper.exe
1444	identity_helper.exe
4412	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe
1904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5484	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4864	3400	msedge.exe	83
PID 3400 wrote to memory of 4864	3400	msedge.exe	83
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4128	3400	msedge.exe	84
PID 3400 wrote to memory of 4592	3400	msedge.exe	85
PID 3400 wrote to memory of 4592	3400	msedge.exe	85
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86
PID 3400 wrote to memory of 5052	3400	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gamejolt.com/games/SuperMarioMakerForPC/388294
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb9c446f8,0x7fffb9c44708,0x7fffb9c44718
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10027336778431812334,6299520204285471111,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
95KB

MD5
d51e69415e8113a20bacc06bba4575c7

SHA1
d8c31f9117e4ded6765522912fca5c3daeb0f482

SHA256
7ca2ea3e4fde71c9190456e29249cb6bdb9866ebce1eb13ecc59d701917aba63

SHA512
811a37d35903a339b54ef0b5987131f87b553effac0771f337f0b062ca2124689b4ba40d0dc93455f13a1d0478316aa908ea2c65df61f49c903216b62cbb9358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a8bcbed6184ba4ced3f96abf3c937207

SHA1
b58c08c7ed1b78591f8fd45a51cabc5596d6930b

SHA256
ef2e0376caa087ec3e58241ffdd76752bd8f4d1b76d31259e62f92306af22313

SHA512
1d92018a324058326e0adcebfb98eadc8c3d3a9a8895b7c541f90d2900d4a3448d307a3e3182ee3a589290b5cf4833e54016a5496656e6b4c92499558a4ad6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d77c33ae72d3a8948a9c685bb17cc4e3

SHA1
45ba3e681e60ee94d671655c99831b6c501cc876

SHA256
50a516ab3db8b37f781dadc36413d938485c3215b9b53ef4bbf9a9b9a75e926c

SHA512
420490a2f97e95f6a88386320d29854c415bee8e015c19e2190c5620aaeb4f2a87179a477afe2ed8b9f5067f8befd37d1d4f0537c751a723faf1c0374aa08181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ad6975fad997cd3b6c2708dd02883599

SHA1
354dc9ffc5db580a93e52e14fadbbfa1d0789969

SHA256
f4d2a2cd17623d5608e432fc0533a759fad3dfffd8a5b6ad74427413b410cadb

SHA512
8dd24f2b51df71bcde82e05d055a2ffa7d4cc6a058c3653f863aaafaf75204ed25068370c8ac35f7786e9e835a12cdbe2540c223fa1a468172c5e94c176d37a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
816234c56ff24313da5f1aef8a734097

SHA1
13db21316be1953b5637db820263a05b7653737a

SHA256
7fcc38c31d1fe1c7562c35d3be34922601dadfdc243401b375616a5f9096ff0c

SHA512
78334fcf014767308f4e6232bcb862b95245b0de64bf1ef511ba593f7d64b4f8a6dc88a73e0fecccc2975e6c5cae20057c340428beacc290a1dab1fca1a8d84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1e0a782a570d4ab6186859ab60790272

SHA1
e2c2230c60193392822e9874d7e3de7ef867ca3d

SHA256
9a02fa1f7b94c18845bab27341fb38930c5d22e1e9d71b0807279e924f051b49

SHA512
8d3981e41890082b9bcb1be5e0af790c470321f68f09973a99fa52cc6700f55f6d0c97bffc03a100c468af28cf85bdcb44927ca5b934b5304bd5b5cfabf8a177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d7e75522fd98af10d0c879c3f64f8103

SHA1
b2506221461a190dde1c21823b03bad196085082

SHA256
9361f9c875b2d19666746239dc260f5186d93760440df4a4bc2aab24e33aae42

SHA512
94c6726c1e9e176cdf9f14943cc1843191a95c1a712e37f2914094414cbb261d7ccda7eb1ab15e55019b450071f296df756bddc64f58aeb486c8f6d7c6c80b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
f1d7fb5fc5b6d2fd10587f6ffd1231f2

SHA1
7c1ba6db057de87446530eac0b637ee1ed7e6a38

SHA256
b917f447e0b2f8c99a3521b5e8c8dab5139b5b258eba817541a94475a4fd14a4

SHA512
6e74cd0006ffcdb5b8de1b6c5368132037ab90e7399d242550b1f25601b5b6e95d1153254244e0cbff6a6dcaae30a7db25f51d9fb7266ba09e98fd19ad141408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9eb1763c5446cc8ef8dac1fc20befc31

SHA1
81dd8b97d860b9540edcde47aa4bbf93283edbf3

SHA256
d069ff6e1fc22e8dd3cc3b810f10d6adf753e43b4bc98818162b3385d6c541ab

SHA512
6ed1c3f584e9dccaeea9329d99a63bef2e8ade1165a249e2467585b7ebeb621b29695e0810835bc0507a6b1c5f8b948422335721972d2c30f0a0f1c2f02108f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
690d0275a8fe47216b3b66d37e149e68

SHA1
97333232d88e5a785b97770f312ba51f9c8348fe

SHA256
f3b76dd04ac326ad79339148a909a79f8db8731e5c96526d5baade5e2fd1908d

SHA512
08f553e46155e73018ef8f222bd82ddf75b194efea15b9dd87f8078f6c50de5cb16763e6a5d757f1222c0c0e9f17bcc13d27db7744a5da4caf8f518beac44ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
1e3010cca4667793871ccf2a1ecc3150

SHA1
2179c6cef54b4003de373d72e3c3f5eab03551ed

SHA256
a58a09149bd45932731fbdff0dae41d138d0f5227ae331c7f6adaf03dceb6483

SHA512
96c75ce855bb6e600d5894b0b6cc59278481f6229d3a2e46d2e94cd0b0b8ebf9ecfcf1ed425150df2d2c5065a9450724772f4d98d1dd99e1041f8c08eef54f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d65ba8987832de5e1bd70fa417c5593

SHA1
9bcfd7fd8b25e0bcbc02b8e237f84c5d10b9b656

SHA256
943d6d2ba44fb60896c4a79e09ee35e7e2bab185869af5df90e779d10496b78c

SHA512
bf38bd747f7cc65b3470fbcb83d716dd016df6b49a6987d6ceccf16d670c4481a4daaf6c7ff008d30bcb4a1d8f840b46c3328affe8d1ae55d3f594b085eb16ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba2eb8e6289ea66d69c2f93eed63482a

SHA1
1a80110fa2a13fd92ec9d40655d4923d4ddab8cf

SHA256
7f6c4e6fab400c2fa6fa7c7daaed12e9871d001010e25a37013c08e687871833

SHA512
93402d7be1a7b4d04e4764ccf6dcd7dbe012e853dd23c0b3e91586b40cd811aefbe7d972876b11db554862a0d805eac46350b577c354f955ccd2e2fabdf1ee21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b064829b7cb007ae32b1783876168f2f

SHA1
79b9366223ac8d7a99d599257693147feb41a164

SHA256
3fe0b5d2f4e56a91172253fb4f1bdc92328c50e954b235d4a99a001475d520dd

SHA512
e0c218980cf826a0fec7aa6ac6f0d97173028f0225443724ee887df91ae3347187c804aaa98d0fa32062c98d77a403e1203a39f44dcda5f028dda24cefc6031c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db39af69cea46952bcfc01d7ce86d4c4

SHA1
78e30090d15d905e5651cf46518a060cd4f01531

SHA256
107c77405feb328ad4730c40ab8e373e783d7149aebd7df4912e76d2b5bbf054

SHA512
7a50b17911dd84c65cc30815c7482478c2b9bb97dc0dc6c00f2d742c8a9189d21dcaaa138a35e3352ef68a5f9f98b1eb48ec83246312b66d476fc3a4a25e806c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5897e6.TMP

Filesize
539B

MD5
e697413498574ab1fac8b61c26d82c52

SHA1
3d8ff4fbc2b92664b4d7a89ab5c4a87c6182c209

SHA256
3006c09831c0de778fdbdbf815db69fb25af949847e94a781f1b6fe711bc5659

SHA512
ce1aa6a91d61ddcaf54edf23e06b7206929bacfda810ecc32d30fd554c692185a4aad764c5b07082fef10d99951d50d5465da33d3781cc3ddc80b84923138ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c72a74c9e6f3bca3d74fd6ee4034d0b9

SHA1
40d5645f9a4a2db3be4dbb5542ec4dbabc1a1a63

SHA256
b8e0872cfdbc99e759819e2297efd41c4982d4cd34936cf1445c505df0a22f2f

SHA512
8e58ef83395c8b3835b0cded534729deac817a37b50d8c05d7b4b2ed339ce4be0c0059161cf1a13a4e873ee7f461821dfde862bdf439655885b4872fa442dc3a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 140199.crdownload

Filesize
3.4MB

MD5
251317268548465631a17f67327a9c95

SHA1
dee8b79c809869021ee6120c169f692d672bf3f4

SHA256
c67cc4e068abb2c7f9b11fafc67b6f664833516fc6f18a0f2fb90bc6bdd10450

SHA512
f1f7893f64592d0a2c77968b85bc0cb10ba2e598a28929eaf4b5b4b5a2bcbcbf1a1532503823420a8299d72a5977816613e985c87a81d5b0ea5f13358377ce2f

Download Submit