hxxps://only-fans[.]uk/nebula

Analysis

max time kernel
149s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/08/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://only-fans.uk/nebula

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4788	msedge.exe
4788	msedge.exe
4684	msedge.exe
4684	msedge.exe
2360	identity_helper.exe
2360	identity_helper.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2540	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2680	4788	msedge.exe	81
PID 4788 wrote to memory of 2680	4788	msedge.exe	81
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4668	4788	msedge.exe	82
PID 4788 wrote to memory of 4004	4788	msedge.exe	83
PID 4788 wrote to memory of 4004	4788	msedge.exe	83
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84
PID 4788 wrote to memory of 4768	4788	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://only-fans.uk/nebula
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9ec03cb8,0x7fff9ec03cc8,0x7fff9ec03cd8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18123409183545377623,13623681054458146765,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6556 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
277KB

MD5
cab500cc8f9df1a564defba1f80c203c

SHA1
a233916473fafc40fe8925de387d42d9c04c0ebc

SHA256
b4bffed3ae95ab154ca1e64ae74fe7280ad0adc81d3af3ce9d019a871e129146

SHA512
321f029e09f0fc99ac62a0adea622678aa83e674245627b499b99c2fa42d4da2e929cf3cc6ffae2ca0cfd15e762f1269a852014a83f0e65b6f82f41b432b886a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
141KB

MD5
19beb48c0f318246a4651315a8f7ed2f

SHA1
389f1ff5a5211676167b60b34aa9db9d854eba74

SHA256
edfc4737412920373161c4b5d320a8110ca06d0778eed92b507e8a0c513d308b

SHA512
e704c6d8236155f98bdb917aec2eb2520eb859efdb0e17bb83ac4cae7059731d29e47729b2e95b57ec11b2fdc6ad00763ee7493043f4039289b6ba6c644dc5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
20KB

MD5
88924e883819450fea6752faf211c02e

SHA1
f65cd48ba61e6854b8695490e82b8ef1256c0ad7

SHA256
2775bac57d4aa61e0bafe9902dda744b81a6bc392a953a125fad1da7c949fbec

SHA512
c3aaeb5f7016f819015b54ac7f2cde14cb71b613b046b7097a61d7836f3cf67d38bc6eaad619561c72828d6f930de0362cacddade2f4590389e6c363755c68e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
526KB

MD5
c988d721318a71c85df92ef19765fbbe

SHA1
d6e589ac1c4ae49fd51abc4985e817200dff0d57

SHA256
8aee03e83b3a9a612dc7fe47eea413cf19c20310415f761a65f0a55ac0e13c76

SHA512
2223239dfb98d332bb95d0909a3e55c70a861a5fe0ca7f6b36877ca7ddcbc4108f83a2ffa92ec652327f7b8da90d8cdfa05d9db08f2436608b8b1285608a652e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
1024KB

MD5
6c1284b3860ba6930d7307cf81731979

SHA1
b4551c519bbbe4160c39140523072304f9725610

SHA256
bf2d03a5ed63547fa6686741b6ffc1c01b0ae55545909bc32c09ba51802a1425

SHA512
16c7c0f7be64e6aac973f531d11ce169ff02bcd8655b185fb0ac311761f7c863f7df021ec948afa159a69a74e2aea816666f33127bf6a6c9ff5f08b58e3ff3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
606KB

MD5
7d896b61b5c5eb45e69d84342dfe24c9

SHA1
514e582260aca0edc12865b0833e49bf753c95d0

SHA256
52564414fb1423d709d2acae923a6d626a5dadcbd0ca7e41e104cc125bbac30b

SHA512
78d9d7f7128ed83ba6e29a259af1511c66783c4321d0c250a3351613bffa3fe988c98ce12221b7dbd69b539a7ddcff03dfb8fe175a7fa63212d623ce38051d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
529KB

MD5
d648b28ff48c0920ceeefc0e544ec191

SHA1
106d0b17d2bb93319bfb26a334820591b8f473b9

SHA256
bb7c40c4084528087eb34c40ae88c04a84ecdd1be743f866443e1ad2538c6abb

SHA512
e9a1619794a4dde77e04244f5bdb6a6e743f55a5d96eb8a0dfa84532dfc3cbf869d0adc40db021d457bbe15557416c6209e346433fd96ca13b334ba356b7dd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
507KB

MD5
94b165afe58a445302507a0ef2892662

SHA1
5ec618722ae593fdbaf046e7ebdc038df97aa0f7

SHA256
ab244fa0be32f8444a70f79e46c3868cbf8dfdbd33c5c9ee3629e046a17867c7

SHA512
9d86f80805b91776704ac5de61d79910f09070ee0fc2d6b46997af51b2ada49e304ad30f9c725dd5ee4f5a3bb57e6a7517ce89f5f592a33101383766b9bb3272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
285KB

MD5
fe9461f4ae1040a8d13459da061770b7

SHA1
0e0a7f188f0644304a13d7bd477da658fd5ee43d

SHA256
751683721ea6ee6cfa87f1549a19e5a19d4a339334ff15e2af966b15fe5a3073

SHA512
f8b21fb9543dddb2e6d0de98eafb7a9a2046056c38e4bb27c9f4418a66cb1a74f7512be7621fcc0c1857de2e2f6f277cf7d47334790d5f2014aaf872594cd1e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
95KB

MD5
5cf9dd986727a214259da82083512097

SHA1
1b26ef22546d480a6de4953f40aa9fa7ffcb7c74

SHA256
2ba498a88544c83e6e18bfcdfee82997c8be015a2868eb5e4b076c220890d5f3

SHA512
a612e224f1eda8f8bf5c5d51189488d371a03907883df29c98a63797a3c72d9cd1e1c04196df2dd85e14fc9e33fa1a9ee41210310f0d3fd1de0711d925ca8ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
772KB

MD5
a8adda00c76b6d3bb01ba03200c05201

SHA1
acc4fad72ef9c5fd95505aac68c38ad2b8475797

SHA256
de52abb408bcce80e4502857f9071b641a8b47d05e646a3cc47ab4be9ead240e

SHA512
a268d3f228eda58c10f8e2c91c30219cc4a4cd22cf958989ffdd930b971342d74ec2ebd99e357ae578e3e9b2abe663e3b5bbb3e8d059738d521e3c278ae99198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1f809fb7f608044f_0

Filesize
28KB

MD5
b6a845376fce62f60ec24b257209d825

SHA1
1dd81c93ce4f465a461c8392234f15407ef70c17

SHA256
cc2606f3ee82e26e0937ae24bba3b480af412d1aa89388e3ccd268653a2567d6

SHA512
82c41a12c63a538123c34b2b50eaea42e10e86be3912c39e9e0090c8af01afe380b7eff422dd08a081465e67f554165412be34269e1e9898bdbb682314279a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
189fea2d647a64ae1f6ee30129a6ebc6

SHA1
a85a865618dc1e5cf45e143db856ad9f571fa56d

SHA256
950856c143d2fe9f99419913333570e44774edecb2bc76171a26fec8781b2fe0

SHA512
1c020af99219d96b14b2aa716dd599e04d9d5b4e247aebc70e16d543e9bfff1f9cce8d1d7a2e040713a837dd2d118fceb9950a48687955c83a35f959d956e43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d21563cada425a0fc27a4a0e477d36c1

SHA1
73e509066214b59ff2b1485bce4a822c439582cd

SHA256
830bb16df2a71cc4bacc313126181afe1a30e92c50e6c5f04528c791167b6057

SHA512
a9e70d44182a0b59214ed80142ba320b0a26ae634f88961888096666c98e26af55bc418c101e9de6d864893eb17c90a9e33ec0699deda024be5e5514c9bc1d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8dd5e1c84d0b439112181bf3c02d3c30

SHA1
92509035e52a68c59d8c430a0a2566ca57e6e283

SHA256
1b4cdada42dc8d72f5b10b47dfd51d28a6e92afebc64a217acfb57af69fd223f

SHA512
b9997e09ed7daf2721a917fa0dac62ec6b036b59142a770083672326d7948ee7203991a80c316416ad47ac4cc8d2cb553052d0beee6d1c5353072064eaa9465f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9a1c53a12cfd917dc75b9b2173ccee65

SHA1
fefb86c65a55b1b8f2bb5519df69f406085edff0

SHA256
596be35233c2b86804335ec99e4ba647e5856a8c4a5cb4c0407bd1f4cdf1b57d

SHA512
6c7be30040b1693fee1d3d1fb6661750f5f930e029dbeb25476a67d2f99b8618a46f57980ea2b2af318e8d1b12584510d567c7c48d997ec5d25621c1bc30fc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3a57dce249b18fdc87a70e758f4de227

SHA1
6d602d5293cea4e8da7d3d2905317b097efc55e2

SHA256
d51b5b644d571a35c425cd8891368e4a5a8301a84eb3df98f0fd92abfe8e32fd

SHA512
6bacb8bddc036bc0e14203f75ba2bdec61ae0de72e07bce1a889c3455930c5dbab1d291299ec7286ad7d1e0fcf9c394a109e59168cd2793eb06f2e12870da228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb3255b8d2d0e35f102df5974431e49e

SHA1
376691a13d7ff97d14b6bfba0f342f4ef3795aea

SHA256
a22c56c5f4465c75b2032e28f7f0b4b15571cba7fb5ce5d4a65abe9a06733732

SHA512
40e1f820890b9fd17ee630245adf10301d2bd0666fbbaecaef98560da65c70a58d9ec73ec7b18af8f071daa9be0bfdcf45d32f8d31a43cbf7359667a5e83b7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
daa771a91c53f10781fec3524bee94d2

SHA1
79b14a52d4f8d80035eadeaba28ff4c083bbcc92

SHA256
81ded9f72b4c6036526846db281f3548fedb5cd361f4c98f62fb134f41ea55f7

SHA512
3e84e4d3567a2af2923f3db1c6bbbe65cd8c7e18e4ac86839984396f9af88783414a90993b31f4a3be410eee8444a0b6cdd61ee6f7443486513601814ad7c680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
722998a4a626f08220a6bf9c29a59d23

SHA1
17b35f1d22a2f93cbc916d4dc1784697b5a096fa

SHA256
4cacc4d42ebf0eba83de16f066de8db6a5eeaf50bba0a98d9078f518edc9fe71

SHA512
7541fc6036d95f53025fd5671a6154afb3e83966ce67a3176156427ca9c69e576c2981d0e870f6fea42014a493c5143fef4a26db73aa822be4f20393bb6945a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
937a420321798a21a4a7d1745dab432b

SHA1
a05a4e4fde828468c7835abe2a409fca713d7cf1

SHA256
6931792528d56a4288702545dca92416b5723047456105a5fb9c071a1f48090a

SHA512
76ed0302f911f113b673e665ef10f8fb16a822c3e83e533f909cde0b1601960b0bca8c9c1a3d984ccc099e670e30161e1a55b2f9fafc8534159eb184e89309fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c25c617509c38023f4da4ba47feb934

SHA1
d565a7f2425d6a9c887163777b2ad0ee2a1d8ab2

SHA256
4e24fd052bae8bbe529d38d0b69b49137363b85fd949cd2f43ea6cc41404668b

SHA512
0382841fa1dc336d5e52bccf27cbedbc3ffb488604a23c88e80ba82518caf1c6863955d95ea32be8d1378c4139b8cebf40ef74c03a4fff046873d68bd45fce33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72f1fc855f7ca9b1a3bbde5535f13b92

SHA1
9a69f1428558027effdfc8218a7cad9b17ec861a

SHA256
a0a587939043c58ea47a64d719b386c273bf51bf195009a1cee1b6ea465403a3

SHA512
cc5e0042925863664e729a888833a402c0f03a4dd9f4d9b7a97945955c6bbe3b5cae11f702dd626b64193d4914e193f24377c7d668bf03c8bf7943635ad12f02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit