hxxps://download2339[.]mediafire[.]com/s7wz84q67jagLz1e-SoTTsvxb-whPzStMkiFdvMm-vbPetC59GD6ICf1x9TDdReEM-cvpMMdVdK8NJPm8Jrv0A1SIeKtdr2SQp_hRQTw2axEFvAncHVLw8-8bbor6oi0Uhuu1PuxluVPcNgK-ITWjDHyOVzOFWGvI-1etXiu9gO7cFc/jmxcdbcpk7ml8ts/RB_scri%27%2B%27pt_install_x64_x32bit[.]7z

max time kernel
80s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2339.mediafire.com/s7wz84q67jagLz1e-SoTTsvxb-whPzStMkiFdvMm-vbPetC59GD6ICf1x9TDdReEM-cvpMMdVdK8NJPm8Jrv0A1SIeKtdr2SQp_hRQTw2axEFvAncHVLw8-8bbor6oi0Uhuu1PuxluVPcNgK-ITWjDHyOVzOFWGvI-1etXiu9gO7cFc/jmxcdbcpk7ml8ts/RB_scri%27%2B%27pt_install_x64_x32bit.7z

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1048	Dead Fish-GDIOnly.exe
1140	Dead Fish-GDIOnly.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
143	raw.githubusercontent.com
144	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{15CE8EFB-FC29-41A6-B6C5-A6483A094651}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 464088.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
4896	msedge.exe
4896	msedge.exe
4020	identity_helper.exe
4020	identity_helper.exe
3824	msedge.exe
3824	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3268	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4092	4896	msedge.exe	83
PID 4896 wrote to memory of 4092	4896	msedge.exe	83
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	84
PID 4896 wrote to memory of 2432	4896	msedge.exe	85
PID 4896 wrote to memory of 2432	4896	msedge.exe	85
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86
PID 4896 wrote to memory of 2956	4896	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2339.mediafire.com/s7wz84q67jagLz1e-SoTTsvxb-whPzStMkiFdvMm-vbPetC59GD6ICf1x9TDdReEM-cvpMMdVdK8NJPm8Jrv0A1SIeKtdr2SQp_hRQTw2axEFvAncHVLw8-8bbor6oi0Uhuu1PuxluVPcNgK-ITWjDHyOVzOFWGvI-1etXiu9gO7cFc/jmxcdbcpk7ml8ts/RB_scri%27%2B%27pt_install_x64_x32bit.7z
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff90a0446f8,0x7ff90a044708,0x7ff90a044718
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,3880420571832136963,17633960828890183977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Users\Admin\Downloads\Dead Fish-GDIOnly.exe
  "C:\Users\Admin\Downloads\Dead Fish-GDIOnly.exe"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Users\Admin\Downloads\Dead Fish-GDIOnly.exe
  "C:\Users\Admin\Downloads\Dead Fish-GDIOnly.exe"
  2⤵
  - Executes dropped EXE
  PID:1140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
171b574bc1cb54f0c3177fc8278b5271

SHA1
f1290565a60a21481f893bf4294f5afc334695dd

SHA256
c7898714bfc3672c7d164f15769df2cb826fe3c4b5c9da5d0c3b5e1245892c1d

SHA512
676a6463a242d3727dd848174e702c8fc63e8c5986080abd9303579c908840ea2568eabb42cfc2f64e32f56a3bba7b7167e3815d8ec75d48746e4034cabcd189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d35ed71b25ea94aef7f25d9fb2fd672f

SHA1
fb1a8ee15e6e3d75f8b9b918a2f7e3be5ba2efb3

SHA256
0b3662696cf8718e7c5cfa5fcbfcd6000e7e62c1d0c73fe8638ac6185e46dbc8

SHA512
fb90d294950c2875b92654316ce113f9096219285f64a16c8df02bbcb5aa4dd24de266b2a54d393f5d227a58f65a1a1089d4d36bad4166991d009db5b53fe499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c303f2a6990e2f04dfedef79b53b45e2

SHA1
5233c9009921082d36eed97419e618bab207d079

SHA256
1a13df311d2819085801729bf0d5e1f5e67bd45bcb5318444b442ae3af9f7657

SHA512
be289b4090b7f362faccb7caad87b464091f3763fa000258e011e03f5e9fbc003c834da9270e5664a5a73d47000fd481049be3874f3f7f18a27a3a2834f1d003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9ef1fb723caa693cd15a3fa2c13bb7f

SHA1
a8d83e67687901e8cfd4bfad00070f252f95c999

SHA256
6d248a781fc22737900ece2c5f3699494851c6287c3fb5b26a605342e6ee4126

SHA512
286db69cc2f957c5375ff05ea0bee41b0254a8c2f5ced34863451e919397e679ac19c84555e44ce6b2565c022deec38dbcfb5862f29b718968d2ad1f3a242fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e07fae681d7d5bfd593394dd3337c570

SHA1
310ba8ef81194b098040e9da071ead54e3500ba8

SHA256
8562e3399d1d2730baf142d3ba888e2e703ea11b57027221b6a1b322fbd37b1e

SHA512
82f5c807ecb4641ef719b5bf6c899a19f982da1cc4a6fbcf859393a96d0ab519c490c038909f59dc5b373a71e52372aa65c618ab834a3832213b8c0dae4dc8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1fd7d45385d66248b1bb61e1038e5bb

SHA1
823026754088c694973156c5372fc2ddf547a56b

SHA256
bac92eab235ba6360f4931d31f3ffe38c4e1699d8c307db2864e0a5f34102d7a

SHA512
834d569f8fcfa5828f7045efadc9e5c8a0543b7ba86440fa968498fe16121c6159d958fe3c504c0f7d9115a5349f3eff699e0e369f293f9d3a4563cd5add1eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a4eb075e0e9684b98bfed818e079d352

SHA1
8114efb2c2f40cea82dbdecff1b6dabf71a94b83

SHA256
eeb72b10557d8f2e1998872ed5e89b7b5574e48195af326b350cf5d1746a60b6

SHA512
f2074e071ce6f6fb54a028db9af478042222457e3f96995d19d5c2c1892df2353590c4128a8325f63d90f31bcd70d38e53e3219900eaa524e1ed2f98f244f301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
663ea124a86782ede9914b38fe5ab2bc

SHA1
185e6b940d353a978321346423d3d9eb57d2b388

SHA256
257d73de8b7119a60caab4d1fdd1be5ed2ecc5bc3f019d83bbd9e195c6ef54ea

SHA512
def4bfdecce2a8db2dfa09b83726b6712a28adf9ef9ed47591e0676820b85cd432c55ebcf7241d340e58aad531b6d5ee38d5fcce2b23ef4393b19056c7d4fb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
425557d00f2c696d59b6466506b33ff6

SHA1
12a72b7bc5015208f1003894b5a8281912728ddb

SHA256
c7db2b33f19c9e95ff8e2e8c5b7ecc1523923164526e80b6b1717fa10566042b

SHA512
32a1caca8493d013462c5c2f31e244bf6121191ec4655dfae53870ed03f156b454a1ab0bdd58527b9879707356e493ae2e7415ecee07603f6652c032041b656e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58360f.TMP

Filesize
539B

MD5
c15d231e0b8ab0260dd60a5b7fe33c11

SHA1
b3200326fb93ff6110a08afb231873a7ccf08845

SHA256
9cb93bd57796f4e8ec67e9aa3c4cee48a27b0608237b1e20da68354ad8c4aef3

SHA512
54010ad795a49b8df9a1d0d9040bf0576050f86fff229d7e1f86d782a4e06b0f29551c1b857a36734f4f4b15f31b6617e72538000c81f18858c2487ed96dd309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1e1f0ee11c5c4e60af4e292ddef22b3

SHA1
483d9fe49a5e40539e44d0ff1739af630df629fe

SHA256
90d0327d45d816c71f39c96c37012b52184a9c5f84ab4a255aea4411c9d9a2ca

SHA512
05c09240e8080d1fb99a50a2b546f390263517539a1e9e35a8f8cfb3fd0aab5193580d7cadd19a630205febc2eccb6df03d1c13798040180c17e549cf3e7069d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d0ca63740d80e2432a06549221d0f23

SHA1
7188500fc2744cf18222c5cc678b65e26d44b0ec

SHA256
b6dd30819807495cc7c4736894e2f11473eafac050b695458d181c17da8e32af

SHA512
f6a5a2b719773ab8b290b9fb396b8c89c6abeb6712c94edfe694f5809aab174b91506d78436426a4377bf789515d498a31d00be9f8b22ded97512e8fd346a697

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 464088.crdownload

Filesize
127KB

MD5
c50b7a75006047d5288a3ea5dfc967d7

SHA1
a3fec3dfc2047dc827ae5a991e2d9be7741b7083

SHA256
415e6d4f552423bb7f28d2a535e9963295562393f470c63d4086fb0faa237752

SHA512
d121d355be6e4249482aba04ccfe7824551c3e45a7e6d6870e9bc2342e7ce8c323b4958f84d9b1f8758a2f9a4bbc33cb6f4bfb1de83d35f13c0dd57a2cd51883

Download Submit
memory/1048-438-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download