5834f6ae3522131494c225a93c30173430be80b5c144519b265395c54f35172b

Analysis

max time kernel
2617s
max time network
2622s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreePiano/plugins/plugin_xfmp4.exe
Size

1.7MB
MD5

1c6f91887e9d23c721ed5475b566d294
SHA1

f505b6e02047b082038110b22e4e48137fe3f3fc
SHA256

3b2dbd1e356d3a32914f5db00a2dc10d697f90568adfd17d739ebcceeabe1c8d
SHA512

c1af6c6187c1f7d67ce212aa15df2ff284354f442cb5bf3bdd38674e7b96443b90d162af8f845c94991f8d29ebde13742c84e79e7e2862b955bc645e08e753aa
SSDEEP

24576:oTLRacbJBSmMDs1mppQRqWJ0U6Ae8yYzWDILv+uysEa4rl5kSauS2emE8dvTjfK7:GNamMeu4Evl5N7jfTk3mM

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin_xfmp4.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{00F8E866-0798-43D7-9B00-CE2A0F40CA48}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
4424	msedge.exe
4424	msedge.exe
4652	msedge.exe
4652	msedge.exe
3364	identity_helper.exe
3364	identity_helper.exe
3424	msedge.exe
3424	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 5432	4424	msedge.exe	103
PID 4424 wrote to memory of 5432	4424	msedge.exe	103
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3360	4424	msedge.exe	104
PID 4424 wrote to memory of 3380	4424	msedge.exe	105
PID 4424 wrote to memory of 3380	4424	msedge.exe	105
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106
PID 4424 wrote to memory of 1220	4424	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\FreePiano\plugins\plugin_xfmp4.exe
"C:\Users\Admin\AppData\Local\Temp\FreePiano\plugins\plugin_xfmp4.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7fff5e863cb8,0x7fff5e863cc8,0x7fff5e863cd8
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3076 /prefetch:2
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,4647470346264802989,10994726486677694412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
37KB

MD5
93acf02790e375a1148c9490557b3a1d

SHA1
78a367c8a8b672dd66a19eb823631e8990f78b48

SHA256
4f2513f353c2cdd3177e3890f216ea666e4eb99477a56a97ff490f69a9833423

SHA512
e6354f4e4d35e9b936a7ddaebdd6527c37e6248c3f2d450c428903a32d77439cab78020a45834379cf814a79149c3dddf4e1280b9d06a7f972e5f8e61c463d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
37KB

MD5
a2ade5db01e80467e87b512193e46838

SHA1
40b35ee60d5d0388a097f53a1d39261e4e94616d

SHA256
154a7cfc19fb8827601d1f8eda3788b74e2018c96779884b13da73f6b1853a15

SHA512
1c728558e68ed5c0a7d19d8f264ad3e3c83b173b3e3cd5f53f5f3b216ed243a16944dbe6b2159cfe40ee4a3813ca95a834f162073a296b72bbdedc15546be8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
21KB

MD5
a6d2a865e9f16ea305950181afef4fcf

SHA1
082145d33593f3a47d29c552276c88cf51beae8e

SHA256
2e5d94863281987de0afa1cfd58c86fde38fd3677c695268585161bc2d0448a2

SHA512
6aa871d6b2b0d1af0bda0297d164e2d685bc53f09983e5a4e1205f4eb972a2017323c99c3cc627c3fb01381b66816e570f61d013d3775cddad285ac1b604cdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
20KB

MD5
c4b8e9bc1769a58f5265bbe40f7785ef

SHA1
07ff14df16d4b882361e1a0be6c2f10711ddce50

SHA256
2786986a3139e9722e667f81b4902609a4cf458e1c16206cd11feceee0254192

SHA512
a39157460b523ee2b9e1eacccf7aed99ff002767a8f87287c1c4662b6711b97f7d4955df64a86a882417fe71e598719e3934e14f787c1e6b3348c8a4c813e3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
19KB

MD5
f5b631335f170065edf1b148e10b34d4

SHA1
ca34f82af577fec763ed38f0436d20f1cf766f62

SHA256
99be964ed51ca453ccfaa264a1ea9490da11e32b53765919172b6d3749a9f846

SHA512
c66791cbdc7c0d12e7295eb26eb583b26e03692c8986ab7d5dac0e6a561b8b68a8a9e33814121efc700ff6b472aa4f685162b0c75439b144f12286c9e28c7cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
17KB

MD5
109a8cceba33695698297e575e56bfad

SHA1
2b8c6dce1ccd21a6eea2dd9aef2a8a6bde389053

SHA256
dd82d9ac034f0a06524fc1d5ef884c29a7e4d586a1e7db66e339dc54fac3636d

SHA512
6d51ed30c45560838df921212370a0044640a8e3c0433922106225cb6fec8cc115ac6191c753da13def21c4e0db4deb5782fb7a75ada822ced1db7c7d13beaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
57KB

MD5
919d13ecf08e3da7e9f337e7b60d6dec

SHA1
3d9bd4aa100f69cf46ad175259edd6ce9864830c

SHA256
9d4575044d2efd5e90503beda65571b5158a3f32d999191ac1f82d1a5ee62ad0

SHA512
98d8236ed1c44826b4489b9fb7b76c62502a032547374446c53dcf2eee2f5fe3548c6587fce66df9d075294bc2ab6be97c3cb21457bc899451ebd3b476715985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
23KB

MD5
de8c6574e9057e4b6ea7b9437db4b9d5

SHA1
265d520b6a04b434f5c3fc8c28debac183898db2

SHA256
51f281fe367854904b3db4b6f4cd70ccf90414335716482aceef382c536ae746

SHA512
cc8791772d03ee3f4b13654d2bd3354ab1ec28322ae3522187603bde00b1a5d940e99e62dda0fd3a7faf0ba9c3cd42425d0e64196f954bdb93c979f5e990e7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
137KB

MD5
a336ad7a2818eb9c1d9b7d0f4cc7d456

SHA1
d5280cb38af2010e0860b7884a23de0484d18f62

SHA256
83bdfb7d266fd8436312f6145c1707ddf0fb060825527acfe364c5db859887a3

SHA512
fa69455b3bfc162ab86a12332fe13322dfd8749be456779c93a6ab93e1d628e246a31a0a55cdba0c45adb3085acd62ba0a094b2115529d70cb9f693f3b1da327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b0ed2f06fcbe64beea873eaba0607c89

SHA1
4f3e816a2958254886c11bd2194b7e53d4bd62ff

SHA256
6e3bb9c5058c1d0700ea7b113f0b2e12bc3fee7bd81344c194c907f1e9c8b16f

SHA512
58ea1b4147713651053a8c5becc48a655bad49421abc22319c0aa8a2e2ef9cb4c3dabf474c9cd1b578f3d84b1efcd496fa089bbc1e71463e4de4fdae6a39965e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
adf28b425bd29e034e8a367e7f156edf

SHA1
0f2a36b4bcb08b60341ee88abb86499b8481ba0e

SHA256
c78109ca4e68b9ce3d8578520be4613267cafdc0e5fa3f3cde80a0822e8797b8

SHA512
6669bc67a25d7460e8e5ef01cd066dda71dccc26f99d0cdf0f1059045fa0f97690e7865ed68af273c6d1706e260c88e53e3937a6dc6b616f6bd6a9fd64331e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38e37ae892900f57ad73e832bc2b62c8

SHA1
9fb30f2fb03c049626bc13edb90218980bd6a68b

SHA256
95b2b602d3e3e3230c8f09d81e2fe706afd52ef4dc208c05b781f3a64bf974a0

SHA512
80710796058d1003132cf74e3a8a8384f64181c434aeed268b9e17377c1614f959640e8a8d7bdaecddde5c5c53cd3b3ab9e6e96cec18dcd834235240b5be1f15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fb8bf46d0773b67652be82e24ec2ce8

SHA1
5bce327703e94eb7e3473ec04f2ced354c28cf2d

SHA256
c8e4169f88a3871ddc51fc8e9e6bd04c61eb5bf38002b78191ebb24901571272

SHA512
b454999f7ecff1d82b6149d978337c5833e6df7136769f57c14baab699bc4d72538f4ef794c4c87d2229ebb8df9054193b48cb8de79be4b7ffdb3a087a2b8a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f877be22a18e3df74fe13b090bcf798f

SHA1
4faadbaca6220bf38be8b9c8e0b7cdf4af6a0a01

SHA256
d2b0ac04e128447e5acc9fe35bd390c80b87369b29118e53ddea82716eda2ebb

SHA512
e7f6caf40c2cc16e2d40388ddc2b220b9965e01864f8fdb769a3f77b49d0d9bbce9a73e4d6e8cf87a088680fe831f8348456b146a48dedfc15321f8608766b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50de3bb1750511c601769cc719e3133a

SHA1
0eaa224544b426c8dfbe183c9232fd2b8c0b508b

SHA256
33c9ebbb0a3ccb3da4d69b35da4dbf92b208c29d48220c92a7b709ecae5bebf9

SHA512
53baedfd5fed324a309765725aad5dc7d5941a8b6c2aa1cb92a41bc9236223e7c0fbbe61e3d73e8365fbebb24cc6cce9c0f4b7fae805d8ffd085d0ffe2464848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2a41a6a1a687b07a5a2dda62c35c7d1

SHA1
dffdb806df19364612b3421722340f0c614592a8

SHA256
75388557caad78911caf44f87eff79b9eb0b98091c27dcb671b53a8e26bc5017

SHA512
a202d13660983480a6c1b1a49bd236bbc5bb2f18db38b1a29535d2cef59a33fdd60b08208d46488c73406f7a844e27c8186dc96004b039e41966b719cd4beae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6dedb0.TMP

Filesize
1KB

MD5
6eb83e2ca08f4453d61d2f31b250d738

SHA1
cb95c7216e4809adcf8506b9667538a7405b2d68

SHA256
e02f20f55bb08fe9c5cfea8156cdc5f1de28c2f97e3001686b4957964daa4bb5

SHA512
8a6a9e01883416fc6e236942522182ace95b47b59420dd2b1c5211bed231a381444c7ccc7734e8da4684128620cb473565bca8ae0216268fc208462015352c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e2cb399cb59282c19327f4e54a4d5622

SHA1
b3383dbacb094c80cfbc4677d02720c7728f5de8

SHA256
aade33cae6eda24917800d9682aabf34ab6a16cc17ec9707133431c32db30c5b

SHA512
d8319505e89f0c6db8f7c571d4af69b97990c70a9de79ad1192a63773b0983896b7c2a8f28e8d00fc1d0e499a4c362d2e6246431ed8beb665b46b69ba9319b0d

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit