hxxps://file[.]io/JiAwlmedQS1O

Analysis

max time kernel
52s
max time network
53s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25/08/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/JiAwlmedQS1O

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
246	raw.githubusercontent.com
163	raw.githubusercontent.com
164	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gay ass executor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Debug.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1460	msedge.exe
1460	msedge.exe
5052	msedge.exe
5052	msedge.exe
3784	msedge.exe
3784	msedge.exe
5648	msedge.exe
5648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5820	gay ass executor.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4556	5052	msedge.exe	79
PID 5052 wrote to memory of 4556	5052	msedge.exe	79
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 4492	5052	msedge.exe	80
PID 5052 wrote to memory of 1460	5052	msedge.exe	81
PID 5052 wrote to memory of 1460	5052	msedge.exe	81
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82
PID 5052 wrote to memory of 2064	5052	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/JiAwlmedQS1O
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8440d3cb8,0x7ff8440d3cc8,0x7ff8440d3cd8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8560 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8808 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8828 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9800 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,8052108911386868466,13707755973316700338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10260 /prefetch:1
  2⤵
  PID:6088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5932

C:\Users\Admin\Desktop\gay ass executor.exe
"C:\Users\Admin\Desktop\gay ass executor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
1024KB

MD5
759eca8f89c3095a05a41b4d7cc21201

SHA1
059790e0a2dc509a18551b7f01acc239c5c4dbd0

SHA256
8550d22e182a409a3ac9227e221d2e1edfc5c0f0762cd2e9fb75528f8c3b8185

SHA512
f03cb2386404db4c3071b9b511e4c6c06f8886ad5aafab49d431031b13a5e47f2705b0967d9a7b47176fad45863f1eebbee9cd3e4af636d3b9dc375e27f47bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9e74bdc01e56b9cb45a6662a50bb47fd

SHA1
c2f378b52aa91e5ba5e011134481f84c363975e8

SHA256
0bbecd48af6fae9cc4cfd2be1323359db62638ee451ca41b84cd29eb9ebfec58

SHA512
27a7fd7c166c458b6a9d7bf0137d56d9fa66643bacc67d28a5a8714e3e7b0463e333a61dcb9f21f546155a22f3c92661b5252a835413f51572b6c738daffdd4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
085398ca20788808030d4ac73c370dca

SHA1
c66d764111cafd7e46981108f81cb4ae841bcb49

SHA256
a6ebe2e508a9200b1eaa84ebe53c82f95748a8f8f9b14d90b2175ebdf538944e

SHA512
0daef43058ec187c9398e1a6184bafc89b1c0cd1f047bbc3510597ab9ad866469eba111f7026d538ac05ea9506859326495b500f4222890d675af085c2ae7dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e80056d6d6086f92527af205b7f0d375

SHA1
d6a6a385728d82c363aff89ef74900e172de5541

SHA256
ab52d67970cc0682cb9cd5cadc3f9fa98c0cd3b8ab0cab6e81585e915955d04d

SHA512
f85bb61d947a3e9113c5d19343f152a0d5e4c8540502d3ab0ce1a41bdb725129a9ff324a2c13124aca026a39520156583c9168147b3c0541d9142599f9c33c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
29ada24b041b6db3aca947f420d42719

SHA1
bfef759373cc99cd812e85f8b54752f9ba5f73dc

SHA256
db88716284d1d5ecb2c52cc611ae2cbc9c574e857cb8a38235e19bf1e26d688e

SHA512
9d97504f55db46ef901bb765b75171da87961f14e02c3501ed1857b0d2100866e591029d02df13747edc0ce80fc8856ee2673183963943d5dbfcbafde4407d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
cb2384adff1309f9b23d5cad5a56bbf4

SHA1
fd59f922e0e1be6b5922e739a53de59702bf420b

SHA256
91d7843c3b16427390cb768afd8ce36a33eecdc068b93aa7f92e3f7d9dc9047d

SHA512
6ce25246e1b44c6bcb209458571a7f853efd0ac126825cbc18a21691b1daf823b403db316a9843c614c4705ec6a47e5dbfcfb827e30f92ea42c61c3bbf266ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
769bec2e7360d426ec567e43d81748ef

SHA1
c253566fcb1f65eed712f13d2305c70656c85c84

SHA256
9939d40bfb704fd75b694c7029807766e97ff5b7458ad5a34dc9f6c422663bb6

SHA512
d750cda29c474a20fce966c641849f849bc03cba9ab51b7ab735445c1897507e854501a55e5890cc6c5d8139144b99c102cb28900a380b1c415077ff96141818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc37.TMP

Filesize
2KB

MD5
6188e6a746dc05b4c9d0d83f0c07998f

SHA1
80776096bb0454f13356db8099627c0e53853106

SHA256
de1dce046258f2e892f723db5fc471772144af364a2874abbd7fe58119b28dc9

SHA512
da384521ab7a28ae3f3a8bf0965a330170763a18f347763a1792a12c647d54a593f54512010ef4038f9e515fa2a642a3fdfce9e41a2c3c0f552f59085348df86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c13f145b89b7c1a8c8add4378f98eb4

SHA1
30c4cdff5e4bd71740bce9dc7b87f8424740d5b6

SHA256
05851d4c374d46a1f8dd66e83d5417557afcefb04e52096076fdfbef9f58781a

SHA512
ddcc9bf29f622689e2379a1849a23f0fd05f2fbf16049e9e1f66ec41c5500f84fa6ab210030969af6469a7d7981b72a7026ee736d28c39fea3e871fdda03cc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
372a456e5abe67f912e25992ec3dbaa5

SHA1
f23afea4f6b24fde7b08b17e6d71272de0556ed0

SHA256
729caf2d61eb1c036f7420f1f66f7010c54981df86078380af40568eb50d2911

SHA512
e72a5a898de5a3644ecb6bfc2cb337d253485849c7b85699531f45cde6764826d5eed63049065d93cae96a1981888f22b3cb6657efd7e4bb2aabc8cf059fade0

Download Submit
C:\Users\Admin\Downloads\Debug.zip

Filesize
1.9MB

MD5
d60af2d20a44f3597fcacc78da0aadb7

SHA1
5392c74c3784fec87a82fbd1a77c464910372ce7

SHA256
34e27b44a9e2a95271f5072d3b840673580b09ef6510c9b8169c9a4015e2672d

SHA512
e0a20c724ac7175f51a1e8b4de463bf2036bacacf3cc730b256d019ad1db0bd56518eb672a936fde9cc8524122ed633388984b49caa6c9dea657ce47aefe3e6c

Download Submit
C:\Users\Admin\Downloads\Debug.zip:Zone.Identifier

Filesize
98B

MD5
81edb9b06c52acb81c2defd910f61b86

SHA1
4f6a830d3207a7afce1fe8e0ad71fa0bd1b29d89

SHA256
1ffdb17f2555876e3cf621d28043f7a3d8ada91ca9357a7766ec3826fb8c9b16

SHA512
1883d188e52cb8de87b1a977dbea6c057ca9686369e793fdc4cefcab53d87c5b6d3f9e38272779d376de90b109d05c9cd5ff641108ebbfb39386ee01ca72f4ff

Download Submit
memory/5820-424-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-421-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/5820-422-0x0000000005CD0000-0x0000000006276000-memory.dmp

Filesize
5.6MB

Download
memory/5820-423-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/5820-420-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/5820-425-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/5820-426-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-427-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-428-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-429-0x0000000008C70000-0x0000000008C78000-memory.dmp

Filesize
32KB

Download
memory/5820-431-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/5820-432-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/5820-434-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download