hxxps://extremevpn[.]com/blog/free-streaming-sites-movies-tv-shows/

Analysis

max time kernel
11s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://extremevpn.com/blog/free-streaming-sites-movies-tv-shows/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
1756	msedge.exe
1756	msedge.exe
1532	identity_helper.exe
1532	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4648	1756	msedge.exe	84
PID 1756 wrote to memory of 4648	1756	msedge.exe	84
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2392	1756	msedge.exe	85
PID 1756 wrote to memory of 2576	1756	msedge.exe	86
PID 1756 wrote to memory of 2576	1756	msedge.exe	86
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87
PID 1756 wrote to memory of 5016	1756	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://extremevpn.com/blog/free-streaming-sites-movies-tv-shows/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9783446f8,0x7ff978344708,0x7ff978344718
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,14261258652949055379,880515074882727808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea9ef805116c4ab90b5800c7cd94ab71

SHA1
eb9c7b8922c8ef79eef1009ab7f530bb57fbbbea

SHA256
bff3e3629de76b8b8dd001c3d8fb986e841c392dfe1982081751b92f5bd567b0

SHA512
8c907d2616ce16cfe08ddeb632f93402e765c5d9430a46e90ab5ea32d4df0a854c6007b19f9b0168254ab7aadf720fed8c68d1a055704db09c1b36c201a9b3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
347755403306a2694773b0c232d3ab2c

SHA1
94d908aa90533fcaef3f1eb5aa93fee183d5f6ac

SHA256
d43f2dd4ac5b6ba779100eb8b84bc92fc8700bedcd339a801c5260b1bb3ce3bf

SHA512
98f1fb18bc34dfc224132dfa2a2e6a131b280b25fcb516fac3bb66da2a47c7a7061124881de6fa5f65602663dc0ea71357b171a3346bb1514176943438322253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\569860d9-b35d-4f6b-bb9c-4da3db3f0f8f.tmp

Filesize
6KB

MD5
d7d9dc66d1db9bbe4462c621bbf9d1a2

SHA1
4088ea7b11094a7dd7fe9bed0f70e3c98eaa0309

SHA256
fa442f4013594977c100ac2b74b7873cb44ea140f066b43c844e5d6e28dfe8e3

SHA512
8bb4483f7fe94a9a3fe188f2de453ff6c49c77df6a7830341b90ad5da1369b9b778699a294c07057ee081015bd4605e4a47e1e4bc49b250cbb6a84dc386d6d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ca102181e6ff4b77230a16d5f1f849c

SHA1
5aa9526c1e5efe76ec0d6ed104daca808d472bda

SHA256
d157541ae999b289292b9f3270873e5e5c4ed94899f7d6b17ba24ffd96889199

SHA512
f4b0c4d176a697ba7f1d7c22e0f9b6a6e9f954e8c6e2e024f39db7a968d5b4b4284179ec7a776e8927f1fdac03e88f208518d4fce6c456a3e761859bc958842b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3ce72c0eb786de2bc63f1f15154ab04

SHA1
0dfead3e00350733c9b33c86dbbb726296b03969

SHA256
5c3587eb66a30299c0438dd02613733898f91dd9f47e99d34b6844284a8422a8

SHA512
ddd9036bd2ba0a57c0229c8345626fae339c4e03d902149e8faeaa315ad3ec3ef61df91184a938970b11e33f69bfadf3c4de6bce10451019a98e802d8c3b9045

Download Submit