be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
Size

146KB
MD5

5d4592a1b5c1c6c2bfaf30cd21f74543
SHA1

2edfe9c61625b9d91c6bd3ca850603eac78fadce
SHA256

be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf
SHA512

bbbe6b210c4bbb1648e74e717a9e42754761684198d2ece2845222f20fab6cd0f9054a1e8d937ba52723bd7fe5fc2040d701c9d7c5b62575f81cfaf8d0bf64d7
SSDEEP

768:Qy27A634zIWia9NfuyigGsc5ijv3x20ZitccG0U/AjGL9eOnXaIZdgGtmDw:Qy27AGu3zfuyignXz380ZitccnwcOYs

Score

9^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2244-1-0x0000000000E30000-0x0000000000E5A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

32 discord.com
34 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
32	discord.com
34	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{F16DA373-94E9-4535-801E-9CC755ED129D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
536	msedge.exe
536	msedge.exe
4104	msedge.exe
4104	msedge.exe
4072	msedge.exe
4072	msedge.exe
1560	msedge.exe
1560	msedge.exe
2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
4916	identity_helper.exe
4916	identity_helper.exe
5032	msedge.exe
5032	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe

description pid process

Token: SeDebugPrivilege 2244 be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe

description	pid	process
Token: SeDebugPrivilege	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2244 wrote to memory of 4104	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 2244 wrote to memory of 4104	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 4104 wrote to memory of 3944	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 3944	4104	msedge.exe	msedge.exe
PID 2244 wrote to memory of 2016	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 2244 wrote to memory of 2016	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 2016 wrote to memory of 2988	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2988	2016	msedge.exe	msedge.exe
PID 2244 wrote to memory of 2624	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 2244 wrote to memory of 2624	2244	be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe	msedge.exe
PID 2624 wrote to memory of 2236	2624	msedge.exe	msedge.exe
PID 2624 wrote to memory of 2236	2624	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1168	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 536	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 536	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe
PID 4104 wrote to memory of 1920	4104	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe
"C:\Users\Admin\AppData\Local\Temp\be1d3cd23c551d3e4bd8cfceab3670fe6f8165aebe6edeae2a6281e65c229dcf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://easyexploits.com/redirectad2
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4f3746f8,0x7ffd4f374708,0x7ffd4f374718
3⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
3⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
3⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
3⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
3⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
3⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
3⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
3⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
3⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
3⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
3⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
3⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
3⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
3⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4164 /prefetch:8
3⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5320 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
3⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
3⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9675629729941161626,15259110331548752944,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5828 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/9APgdkhTEk
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4f3746f8,0x7ffd4f374708,0x7ffd4f374718
3⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8252605247023094534,5929826170848803070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8252605247023094534,5929826170848803070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://easyexploits.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4f3746f8,0x7ffd4f374708,0x7ffd4f374718
3⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1528,3485465337901714582,5338714496408068793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
3⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,3485465337901714582,5338714496408068793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1c229ac1d6660856826b5ccb7bba5c51

SHA1
a5deac51bd812f52a1ce00218b598d52a2402ee7

SHA256
0d228c768aaf7a0f6e768f12d5d33dfc52dc62912bd0f27f6a0af74352b027ed

SHA512
16cdc71ebb91131df3d135066f600b44b42b3908a3e89c999e8c244c183eadbb065f45289d76876c5b2c54e5407f10cc2e15e3419ac8183dcf24fe10d9dfa2de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
a42b18343a9a08ffbbfc3bb53e539ef3

SHA1
c59a8bfdd95718d7b1bbcb1ea767123a7b374f0a

SHA256
d1cf81890c16b20605bfa305ce01165e675def2ebbbad9af54f658443f605ab6

SHA512
d32c94022daf607f4c4460bd65785362b3360cba323432d4c0a1505f93ed15cdfd028e1b2297e4ce1d8b2997c148489f50eeb0d668708ed78618caceff04dcc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
70dcffdcbeea940d3b87e60284dad050

SHA1
cb9bb7ebc0f480be5ca0d3405dc00cef02988643

SHA256
285f9a317e314932ed325ed21a585a0f36c22f4cbee031db87ea02172f3898d7

SHA512
e43fae037be48f7371cabfe91cdf2ede36c594c2dbe2e233198dba10f76fa9d225c643d11eac2794909fcf74101d88aba4d5c174d61e2b2415c2dde3e89e781f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3bf52530403a981c2b89875558614fc6

SHA1
02dfd1433cea3bf3f9569b8c23403124b554bd1b

SHA256
1fcf08816ca552d9e8fb7d71cf768e5dd7569ae6f1289840be6c55d73d242f2e

SHA512
16bb51a582fff38df6b4b45e1f1b60dec33a2cfd0511db0a76b71f806bc1f232f2b789eb3343c6a72511d409464d3d017b4ddd2a3895bc32ee2e1d3443b6a1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
771901bb92a7f21611b9fe658f001a55

SHA1
bd4ab2546af3e78ae21f8a0ce1a1a74066c5a045

SHA256
3837497f7f1cf30037cc07b042b9d75460ede637be0711c5d20316803d76a7f4

SHA512
953ae5a1ed9af47cc4734c30a078799a66565571ec9c6ad48f53dcd2d9f84431fd0a133cea30af2f169f0019b4106c076ecb810b14e26ba1f7984f259a7b3569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fe93a2470004530a504bfe85a4e24372

SHA1
568c564b392b3c5bbcbfcca03a3e0e71e3a40c9f

SHA256
1303c6d1c4449a0f5fb10a50d6c40439805e1ed728c06f687764c5eadf58c80d

SHA512
0a9062934516ba125854181e3c493f3dc7b9caafc16b8937f3435858f9dd37ab6fe100e37b3c903bae378385175400b1223b7098113b13666156bc1e273351b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
23f615a2c9e96900bcc598b2e2b40669

SHA1
ab451a53ccf810062f3af6fbaffd75e814a949f7

SHA256
51c495a88ccf42a2c717fefb5a00f580f427ce96691fc13022872c3af9cc99ae

SHA512
2686572ea06d8badcca0257e4bf6f36c065b461388592c0a6c025c958c34e8890776514f1dc4ae0abde41ead4969713345194a076531b268bd569a9dab2d8616

Download Submit
\??\pipe\LOCAL\crashpad_4104_XXSLULGZNPJOZWUI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2244-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/2244-6-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2244-117-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2244-5-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/2244-4-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/2244-3-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/2244-2-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/2244-1-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download