d29aa7378f7af6bec15789ad03d3591e075bc0f31915b799ee1c4b0b233c4136

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boston/Binaries/Win64/OnlineFix.url
Size

46B
MD5

59bf167dc52a52f6e45f418f8c73ffa1
SHA1

fa006950a6a971e89d4a1c23070d458a30463999
SHA256

3cb526cccccc54af4c006fff00d1f48f830d08cdd4a2f21213856065666ef38e
SHA512

00005820f0418d4a3b802de4a7055475c88d79c2ee3ebfa580b7ae66a12c6966e5b092a02dc0f40db0fd3b821ea28d4aec14d7d404ead4ea88dc54a1815ffe26

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	discord.com
35	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
2564	msedge.exe
2564	msedge.exe
2100	identity_helper.exe
2100	identity_helper.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2564	1676	rundll32.exe	83
PID 1676 wrote to memory of 2564	1676	rundll32.exe	83
PID 2564 wrote to memory of 1456	2564	msedge.exe	85
PID 2564 wrote to memory of 1456	2564	msedge.exe	85
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 1720	2564	msedge.exe	86
PID 2564 wrote to memory of 4272	2564	msedge.exe	87
PID 2564 wrote to memory of 4272	2564	msedge.exe	87
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88
PID 2564 wrote to memory of 3528	2564	msedge.exe	88

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Boston\Binaries\Win64\OnlineFix.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://online-fix.me/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb611046f8,0x7ffb61104708,0x7ffb61104718
    3⤵
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:2716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5752 /prefetch:8
    3⤵
    PID:828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:8
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
    3⤵
    PID:828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
    3⤵
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    PID:2568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
    3⤵
    PID:4320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
    3⤵
    PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
    3⤵
    PID:4168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17997099834752270602,10338003656663112936,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x45c
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000085

Filesize
250KB

MD5
29b1adf527657e404731bcb7271b79f8

SHA1
50aae42abf35013822edd2004b109c1dca12e96b

SHA256
4fbab2df29d82f1d5d1ab88a4cd42dfbfd777934ed5b177324542239df37bcc8

SHA512
17d123f7b9e62a158ab2589750da30e0d8290f910052d0d464a7f5a40d4e5011c8c33ee4804000fbc52f1c4e27b8d04cf7fd1bf13a9a9b07ac2376fad1e6ed56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008c

Filesize
182KB

MD5
6507ca0483cc6c183a1c51ed2529de0d

SHA1
94bb10853cfe35a5a057e487257634228c9a2acb

SHA256
c978a4b66dc26bfd41ae13e930a2c4eb040f356fbc05a89ff2027928824c8dba

SHA512
a568c25a91ed68a4b9d7f82e956f2305a59d0c0d0da9e2042064a301cf907af8b32445c497a24ecf97d8f40d3b4cd7d412f49f1b223f88e6c9310f7354f4701c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\429ea9adfcf41ecd_0

Filesize
38KB

MD5
0ad5cb64f736440fa3d73c275bf4fd48

SHA1
e6901662de993d8163d30ebd135a7cc60b29a6ca

SHA256
86dcb79ed91fb83afd2e61d0002f7fbea8e4201cff23153341bc7d0e5b3b4b4f

SHA512
43458b44f1d58e207b20d9f04b47a8afebb81b172c7b3e84a293b1bf3484649c8bdb6fa2d3a7aed4c8d2365fdb3f28e8827d05302d50ddbb9e8834258f7fb966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
05a00399e01d3cb4cced4ec2892e428f

SHA1
2272a1f305cb0520265793989006165f379d83cd

SHA256
3ce142ed4cd1d476bb90c9c8d2ea6f3356e395c34667323ba97407e59b89bc03

SHA512
bff0f4d42a981f3b6bbdecce320fd393f60edcf14867b1385e225a036138be64376288dab64f735eb561708bb27efe4186025d6d9e8c72f3b2ec45718a6f23db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5c2ec3a182b4ff9234c0584ce8acf1c1

SHA1
c9fed574d051a31805cdb577f8d589cc8a153cdf

SHA256
c6197d231b2f9bf87ed257da90aacf1b925d09dd4736d29c9080d05aaff39671

SHA512
f624766fe8653062ef71b1bdcc40de9aebf40df5f4e70b7f0620e12e2941fae373584a3db11dca034d42dd58855ee2d60bab0872593569c6fca2143b7e0a46dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
fb4bb5168432b999e72c0bc0e9be91c0

SHA1
05e0eb354f1908ef01645999d7bdb0fe4bd9e4e7

SHA256
784f36291f3a3c8ded47dacb57b8fd2fb0ddc9ff3856d24083a51d116fbf974b

SHA512
f5f29c146198e9fd3f3b8fa3e190b9acae4c6e155cf87f3f43eda2cd5b0087115155cdd0979d030e6215f64bf5c184f6d4b8e87b86f51f1823d55acc172c9c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5dfbf8d8f68e2d9ae06016d7c6a3b43

SHA1
dc727d36c339934e52d22dc0c5318154390206d1

SHA256
5d6e295ebd3ffb9c4e09234553c7a55228b076f1fc295cd9287c3f71d6701f02

SHA512
1126970f86521c3911a503262b4a06981a9da7e02a33ddbcc1c2b098107c4c04e4d739d2b0d8305166b098fa7bf6f31b7bc0ecb096b3c763a33797272ac703d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7f263682ba1e7d03274ef7c5565f1759

SHA1
3d02238a31ebcdf22adad8ae7f217ffc7a7bbed1

SHA256
8b20cafb9c503a53a52d467699d26bf37292b3a4c590de9d73851856882be2f6

SHA512
9bb32e2829a3caeecca46a6b42b15d988223faf4e20e11dde1e3fec6be005106a585c66f04dc1ba0f1699e5e17448f229efc978a2709c016d687abb66cd48c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
620e01820ecf914450b13b3475da9699

SHA1
0af078d8b9094197e5b069851b6fbe803f92c663

SHA256
3c473db876cdc11597ef35154ca15d8a052b535678cd1e576ab4ea9a4764a98c

SHA512
59c1ee77e6798a1917b99a74bd39aa0407e37150a66c99d3d5b1741c538caf4ffb27711591e19ee4cd4fe162c1f827d4a822b9a0bb252e34668dbd397de739c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b5b308fdbdf0a8eba6044b4efe466b6b

SHA1
0bb7a281f736e221f0246839d5cbc08ab4980fde

SHA256
418937279571ce0eb49d23d83b9789059134bddef6f6dc296d6cfaad7f0b1d42

SHA512
45a6d6a2be5a4313ef1b57ee24d0dc2b1617b4b875ea10b8efc64b00b2a05c8b92280a5a0292851ed5fab6f3569d335727261c01e54d95679461c85854bc9812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
15e06f663fc2450f7a182c6c8835a727

SHA1
c22c4ed639dd7936c7cc744f73f0ddd44497160d

SHA256
7cc182d511f7e8d2e432e88760579408c863a55cdd91236921c33e1c72a0d2ac

SHA512
c3c4537f99f90249e87322ade1e104531db896c2d936a656152ebb84703a23886142dbb47f3ecaefb0d2a4c18b6e9387f2019a54db72f491c8a3d41ab65a2a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ca3cef00e17d7f86c298762abd2e356b

SHA1
a2acf980654a39cd98d23872ab5490be1ecd7189

SHA256
76e73597a5a149b1824632f95f17b85051e0b69ad3f4cfc9d0dc775f13aacd61

SHA512
8a8427b4b980d5f77bd414fc2c42fd9903abf5af86bee9819a53ad5662c71f7002b4f24dbfc7adffa8e7afc6cb356acfe245636e85c02dcd54ce969e2517d647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
45b125449bc5d50105737277d188112c

SHA1
cc8da962cebfc2edb98ae14154494a5f4068b630

SHA256
7ff88d340055a0dcc672cf9989eff3ec56888673cdecd1254c47c7fd77f0698c

SHA512
efe7068b69bef9a3310326ae850b6c6906d77d26d3a78dccf258c27e315e6136a90dec6d3279b0b83fd952ccbf42dcecce0771a960c419a2404dc1f22c2e6347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
819db1c2431de97e4f0c026529c6ffc7

SHA1
3f62f57af376f64d32bd910961d18f03dfffc31f

SHA256
3074466f59fcc0a9b921dad63c050e72083fda49726cdb54d7421fe467d6f47c

SHA512
c63636eb4b4ccef5352645cac81ae86a3d6b63b2ab50b87e8c3a0ef559772e183207a34f49b52772f93d8c39e8c9ec716c0e717ae76cfecf65383654319c5a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
14e0fd29e56782af4b7c4caee60e5de3

SHA1
95e3e332b5aa2704eb30bb792c13079c3960905d

SHA256
333b0007b45a0ef4c42ac2929974f6b62b9f70fd186ff4126525b485c7fc5cf4

SHA512
985b234932de5f3b8ee650e4f37a0801228123e3c2610230ac748c312b29ca1a170786c901b2d0ade853b2e217971644e431a9020e7d07a6087eee4ea268bafe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e177.TMP

Filesize
2KB

MD5
9a8fbd894ee9d5bf45b93a3bcf165d03

SHA1
f2701ae4c16444ba05cfeb031eb8f271c3f25f49

SHA256
75a8715beab9d72b43ca395e59fbdbce6b9ba5e84ff60016d08044ee6a1aaa2b

SHA512
87f30fc950854234e18504c1632627931b451308da8900cb337c3aeecf75340b5012c363ee6d301d43cb2f13b2e36ae5aced6268448642211dd710022579e095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85e47615aa23cb71e11b2609965924ca

SHA1
f6bcca6de0cc84fe8313886972c4b40c0365dfe3

SHA256
ebaf8484556e0ddb337e63be1b0779daaf98f0ca8384e8495732c3110a98187c

SHA512
209a4e2c25718e2b2b46226dfb49cafba286c2856083973c6c8bb3381dbf9ec3d35841520509afe92e87060afcac05e4c5003842ee27e1b27d81ea9e26276b69

Download Submit