hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbWVkR3E0dWtXSFh4M2xlRm9pMmdrSk92M2psZ3xBQ3Jtc0ttdThqUHMzMlhfb3pHVHRacFNibFVnUHlzT2xfNlBFRmxkMUJQcGZiaUtkcTFDY0RINmlWUERiUlBCQnN5dm42UDFTMDNYVXJET2NyUThNUlY5R2FzSktTOXA5SWt5U3pvRmdzd1d6SVlHWFdPN0ZKSQ&q=https%3A%2F%2Floot-link[.]com%2Fs%3Fc352d6ff&v=hGMTrPXQ7ec

Resubmissions

22-07-2024 18:03

240722-wm5slszcpd 6

22-07-2024 18:00

240722-wlej2azgqk 6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWVkR3E0dWtXSFh4M2xlRm9pMmdrSk92M2psZ3xBQ3Jtc0ttdThqUHMzMlhfb3pHVHRacFNibFVnUHlzT2xfNlBFRmxkMUJQcGZiaUtkcTFDY0RINmlWUERiUlBCQnN5dm42UDFTMDNYVXJET2NyUThNUlY5R2FzSktTOXA5SWt5U3pvRmdzd1d6SVlHWFdPN0ZKSQ&q=https%3A%2F%2Floot-link.com%2Fs%3Fc352d6ff&v=hGMTrPXQ7ec

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
263	discord.com
264	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3212	msedge.exe
3212	msedge.exe
4528	identity_helper.exe
4528	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2304	3212	msedge.exe	84
PID 3212 wrote to memory of 2304	3212	msedge.exe	84
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 924	3212	msedge.exe	85
PID 3212 wrote to memory of 3976	3212	msedge.exe	86
PID 3212 wrote to memory of 3976	3212	msedge.exe	86
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87
PID 3212 wrote to memory of 4568	3212	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWVkR3E0dWtXSFh4M2xlRm9pMmdrSk92M2psZ3xBQ3Jtc0ttdThqUHMzMlhfb3pHVHRacFNibFVnUHlzT2xfNlBFRmxkMUJQcGZiaUtkcTFDY0RINmlWUERiUlBCQnN5dm42UDFTMDNYVXJET2NyUThNUlY5R2FzSktTOXA5SWt5U3pvRmdzd1d6SVlHWFdPN0ZKSQ&q=https%3A%2F%2Floot-link.com%2Fs%3Fc352d6ff&v=hGMTrPXQ7ec
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdccaf46f8,0x7ffdccaf4708,0x7ffdccaf4718
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3060 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6204 /prefetch:2
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2525937953679770768,935089515162728265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x51c
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f9b3c73-e328-4640-a7ae-7e31b8a3afb8.tmp

Filesize
706B

MD5
a2ab3d48c42bef92dc7198e22e56aea2

SHA1
53b42cc1f906f509a5680986386085c6d7708228

SHA256
ba420f48a2fe7f73257437bbbd27c28cb3c8e19e6ae04f1f5d8c0f85b3806158

SHA512
9047d2e2600822056e116aa1c357e49e9e69d9caa0118f7ea82a23b1765831532f48e0acfe6cb1041f4512a64724210ad3112b7ced80b84275ea1d197a5649c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
456B

MD5
4224a189d322b49aa1aa858925a8c431

SHA1
6accc13aaed1a5637953311393a0880347120e8d

SHA256
7e710f5e5e9f9a063fda70c15b0d59c16502a4319992aab2f5c9c89acfae5512

SHA512
fea2484f68494237119f5199b4204e52ccfb898e2701de79cdd1832b8eff079c38f89b3ca0fb4003a6e4a4020df5c1e5d3a159f0e0149f9898edefbb2a19e8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c31e8c9f8c4a36499bed4ac166ad7871

SHA1
70b2614b61f4b706aafa939da15e26c8ab94e90d

SHA256
78c1d8e7619a4752a3fd8a874bd766ec5bc657bc644669ea0dbc0ead2a6a56eb

SHA512
aa40e4018791ced8db19aa056173aec282b90e34afed3560257dc76dd6c84fd68b69d070672bfca5f049c358e92371fa295f7ebdf43fec3cd9bf7a952a33bdaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3679e5c72e24676cc2b24edca20425cc

SHA1
6a2461fb05e2a95c3816a4a31a2dfa4374436b25

SHA256
ee623e65c1db11fd28362b794e3c13ed752bdabf5b15599aaefd6642ab83957a

SHA512
bdf4d6f392bf51fcf39ccb941b5310809453b4871e6ee0e00a61c6a96fa242465e26bdce22987873e3e77821626e891a1bb795ec31509271c642c26ce1d8c568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b86ae1c710375b9959154a974a8f92e7

SHA1
6a144439d659454fa4c98db68a0eba0345c403cb

SHA256
619bf610d28f41af27eb6e791951e6dabc67e23c9368e23743b13523a05486f2

SHA512
a0717b84b5f99a246a8c8ad892a6ea929833420d2241950d24d23e40c59b02b1e2f4b951c832c2b9a7a266de3459e09fc0b8c3462f8eec2e25fe68c38763a854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
1bf3cd0fbf7ef2062a0cb0defc1f63e0

SHA1
d728dc2a6548447f3baf2189a96975d1c926a241

SHA256
7da813b3efc42f63d4135e969a279673d64050cdff3ceea6c882215fcc14b9e6

SHA512
7a68cd60ebe541e413ae57494249e8a4a2af1a6d0a54c3578043da1cfb3a1929af91a017b8a19bf2a37cdeac48274c483e4d99ab010c8c927c48979a293e628b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be0885dbea0299f48df829925dfae2c0

SHA1
9f88e4aa26476952d47f826595406c4f61f2cefa

SHA256
439c30ef76b1d55e5bd805e048b1f604315f10e0278a3d37ecc434b4cbfa6819

SHA512
a9d57c8af412bd55871137c6e54be797503c4401864e2600219c9998adc736b85c8cc40968fd0919968695e3a04d19b8424e6086ea77acf9a8ee2add07baaf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86ebb68d33643762af96cae85a231db7

SHA1
071bd44d8ef9f6e3267fdb8605dcbd5d35579bf0

SHA256
c08bb8f2ea8a43678755ef1715dce4fdee743350622d404612d74bb315a09b8f

SHA512
9fb2acd97921f6db1dd58cc6086c247310c23fd27e8f36f8c38c9ca931d800134fdfe2f2063059647c9e4b70367b5a71f6f6a59ad1d452ab3d475099ea7c9067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b53f5bb5fde279c8336491d7a1ce26e3

SHA1
361c489e263260764a8a0dd56a45b1baf6242f8e

SHA256
9dc8619875689f43eb8776139e0fc94422de9bf7a07d169fc282c38edeaa3566

SHA512
89ebba1da8f8710efd0a43b5b88399418fc1471c2678582a182434ce51a922831a8acbcfa49fbdf8c0ca3c8d2eb629c19893a99e8c5871c90004b37802cd0434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0874f0cc765160aa0e559807f10f6594

SHA1
c2aa0687dd44eef73d4682f543080c0fac63d52a

SHA256
18ed85b847501e7ed4cab1be6759fb6cf9493eb4647290940eafdd3c17b1e851

SHA512
10eb12d497a95082b94bc4e0aaa04455dcb9e9b428e1c705ec2944a24dd12bf8e036c106c2877e225f2a7ca70295b8389e9d1db268da1cd848ce83fff1dbb8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f601f4c52a4563a75554df379bbb2c10

SHA1
1047ce5b84f97ebbc5da5a4f3b083dfd10518e04

SHA256
79c0e7f6f3feeaedfc584fa0e5c0593caffd825b4f031e4a369dd8c71e7b09cb

SHA512
2b50c887b59772fd81bd3a859f7fb0dfeb7539992e0c6bc0eed83023b01026cf98d48f8117600942c2359695a255c548a34f7407aae58f1238b6c7d248504481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a864d52122743b4b461f15e00fa1b7e4

SHA1
6064fe4a021413f035d9681f3e0c9dc2664b4b3d

SHA256
24a4017ee5c5c264ee7a6e797e4fb140e78dc69cb6b3e67aec930339d54e2f1d

SHA512
2bfba248f1b3d5d39312531c8dd824c8568f93bbd28828fa6627f817af9c4f55037b4718bb568a81ba914cc9dce356940f85bda8cc900afe551f2955f8266252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
58b55ace2f912e6d5b573718e8ad478f

SHA1
65d52b1c44e4821636268d6d3f7bb250aa21cffc

SHA256
ec03551356b6e3aaecf05d0d7d55ea9594531a5dfe0013137f33272e6843fc95

SHA512
f9a92cfb3cda28385a8cc6459f14c1240d2b9a65a4a6c98aadce374f215c882730305bd457777187a062130073c18cd7b913c3cb21a2c5b5717ccb3966cacf27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c52092016e9b273fa96def2e3f208f45

SHA1
0dfc79c6199b27115ce8af88333dc5eae0cc6518

SHA256
0db08fa854033db9a46346014554c2d4b802d5322b45258f1a5ff9cdf961c315

SHA512
a22601021935c62f4575fdd9dcbfd4ca0aeffce30837688ed3921d6c85c8910f8d34782a255c83f86ec346559d3b9ebdc9c65c81efd5a1c36599a9d30f1037c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7995328046dde7027af4aa5a5703c274

SHA1
e4694e1d645a614a615ce8dc9fcbb6b0d4e99540

SHA256
9c52889ff5edc8ce5f1e87d78b5e24a9d1d3182a792f8f3c8f74482cb0bb8675

SHA512
df2f88e50a99e1d587ba2e6724ac393ee1bc5d5c265761762d8fd6599d88bd55c2a750a29ce361eb77e22e2ecd70b313f1dc98cc33f85d45178670c7752bd60d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5820d1.TMP

Filesize
204B

MD5
d9885a6a7c3e445cf6aab3a3807bca8e

SHA1
28c40335731fa6e36592fe9adb92a5db0e5aa772

SHA256
98d892376e25e1ab154db61bdf2ab84f96ce200bfd39642b1991a7305bae618a

SHA512
6380826ed56177f7ef68f1ffe7a595b2c022d8d00df14e853b4f3fd388073454b3af970c176ef7472c9222f5e34078e516c5a777a23a93d5d380cfe4f20dd963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bc16ec05f38ff4a62c3360b6c732f41

SHA1
5f746643084f86c9c778a571c4de1f494e11254c

SHA256
2c86ea1fe645176d683886ebb70a3437dc97ed9df8c428cf1eceadb389f224f4

SHA512
9bab12cb7686cc8e1ed88159b4070962734733a2346427a9c7a0b87dff26dc0e98c31d03e3a693f241c6da8f198fdf60ec595e360ec8bc4a6ac651947eb58eb5

Download Submit