hxxps://dayclouds[.]s3[.]ap-northeast-1[.]wasabisys[.]com/users/ygXeGOJJzAa7L/vCdvCnid65yDcYT_1723316480[.]rar?response-content-disposition=attachment%3B%20filename%3D%22The-Sims-4[.]rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3CQ263VG4G3VUVJF06E3%2F20240825%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20240825T222650Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=28ab608277739f5651999067deb96c60d340d8bd9a248634eda013e76c47392c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dayclouds.s3.ap-northeast-1.wasabisys.com/users/ygXeGOJJzAa7L/vCdvCnid65yDcYT_1723316480.rar?response-content-disposition=attachment%3B%20filename%3D%22The-Sims-4.rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3CQ263VG4G3VUVJF06E3%2F20240825%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20240825T222650Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=28ab608277739f5651999067deb96c60d340d8bd9a248634eda013e76c47392c

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
163	discord.com
164	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{50EC2E85-2AAB-4D89-BB8B-A5ADAD20F216}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2976	msedge.exe
2976	msedge.exe
3212	identity_helper.exe
3212	identity_helper.exe
4708	msedge.exe
4708	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1600	2976	msedge.exe	86
PID 2976 wrote to memory of 1600	2976	msedge.exe	86
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 1308	2976	msedge.exe	87
PID 2976 wrote to memory of 2360	2976	msedge.exe	88
PID 2976 wrote to memory of 2360	2976	msedge.exe	88
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89
PID 2976 wrote to memory of 4060	2976	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dayclouds.s3.ap-northeast-1.wasabisys.com/users/ygXeGOJJzAa7L/vCdvCnid65yDcYT_1723316480.rar?response-content-disposition=attachment%3B%20filename%3D%22The-Sims-4.rar%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=3CQ263VG4G3VUVJF06E3%2F20240825%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20240825T222650Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=28ab608277739f5651999067deb96c60d340d8bd9a248634eda013e76c47392c
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9afe246f8,0x7ff9afe24708,0x7ff9afe24718
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6696 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15219413647092968090,14327876844219861902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
30KB

MD5
522dd82aa900c5ae9de33b17692813c0

SHA1
4b9b183b9306b17ae2cff2acb68709b7f2c237ed

SHA256
1206c8b52249f13150a4381ea9138a8fbb28e075d4f3a6268393dd185d3abee9

SHA512
da571c03c4aa8d783b7daafda9b95418079c67afa7a3a8a06e562c574ad10e45ac5fe2a7ad30e514a8aaee25ba8cd6809056f192b9d49f470871002f2d5441f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
90KB

MD5
304c4d91a6cd0878fc67784ecd9231e6

SHA1
4383b10c3ddf083af13a389c2a6cbe6baf99aa91

SHA256
bef03be4601ce00db95a14302de57da79e2436fe6f5f67c4bbdf17701edaf611

SHA512
9b5ddd410a710970ae0d35d4b960726003099d8254f5919fc2518e37d2160cee571f082c1f27d30aa8aa57ed5db1c0478ec02c2916d4e7b196bf0227129b8731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
20KB

MD5
8373f526eb90093654793437c77eddbc

SHA1
724bf934b00d0854c2f886f119833c78a373f249

SHA256
76eabec5a1804e1e94675e4c60855c162bce4b03b80e9ce68c76674e8905e2db

SHA512
cd3e8dae997da0ed310774d51218a2b1a0ddb0ab189dfe7883ec725e10dbc8801aa036344c542e7c64d715298c96ae71a269cb099d0abaa23efb50d6e51d7af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
20KB

MD5
720fc4bdae0f0af7b992042d4240e0be

SHA1
ae6c0afd0a637b93000cf801533012c6e155686f

SHA256
ff08599c267552c3cb37a87575a7a60a082b3f6c969266a91a3bc57070b06cd3

SHA512
fabbbe09bcfd9b74da282be2b48fc9815a2e4dc5e9e4e69b5c077926bab53d46393ace20ef1f4fadc82794f480c489f590fd13abb1106e4532f7bc98db9a635a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000ce

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
33e2cab3d7142612fad653692620f7f4

SHA1
26e651d9cb988840759d9700fa159740947f117d

SHA256
1d5fb03edf317dc147f8ac2ea9e7b9b0e7ffda59d8eeab15cd7d1da4b6c266e7

SHA512
e51687d51496c37924326f47af28a212e8f74856e804e0c2be5bed994f8325c12d7d8d046f800bb8d74db0c9e307085cb39517228bd96587c1b6ba610c53c33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8dc56b2346ab673cd3a76aea5cb38334

SHA1
eba15ec9f1ca4ce57452e64e2f1ffeda17083b59

SHA256
330e6b84d1e0f9b63ceea45d92efcb58c28209c3d4933c21f83c5f9b7997f93d

SHA512
1a052a2a8ce15fd37339d868573c209fd58691dd56f1346c9c8950d70303adfbe43003f93242555c99cb8e3b8041db845e1cf54b26df096053593ec3db9c409e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3aeb08798193b14a2fea8d6cc0ac5c1

SHA1
372cdae0b6a2f7235709b139454d428e3dc11158

SHA256
67cc4007b8ca77c4f6b80e845532b47ed2034f1724d1606cbf85bd637272f29a

SHA512
02428b270c2e7f67b85b21c593fa578763030662bc39b41ac79d3513027aa84decfa01331de51556eebda9dc1b1ebc77e5d4cb513b59a8562139c32e4ec20287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa15faf03b46b9bed86ee2cfadc88513

SHA1
ac19d306bb13525b15dfb05f473034c1872d9f13

SHA256
5887e396efeb5091e1466167d8ebaaacce77dbfaabb3a4aacb041015ea23f385

SHA512
64342c0ddc18b324e5bcf3484be934bd7bf6d2d6c11c8d87b76e23f241161369cb78cb922596042ebedefe7aee744f5836cb02229b8872293e753adb609d5092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b3ae575a681ed77e50a0c8a1365f5f2b

SHA1
b0a47f8c2211332cb7308816dec48a9ecbafd3b7

SHA256
7ef406f68e6a25a0085150b50a84e20f5bc84bb938682f3c7779f0428ac51238

SHA512
2b2499d5017eb91122b641d74fa35651785f4366b56d762a50129e2ef3bcd4e8af2eccb5deacf7d1cc80eb7765e6400e53bc36b695656a9faa036cfdc96186e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
806409640c55788e0ec96992a30f9119

SHA1
28464280d7b08ae30341584bcf93ffb6910b6ec6

SHA256
b0eda034d0441bba642374c5f94d507c6a601bcb8ab3c93c1c86391357101501

SHA512
b4dd4844b654f10ec7ad1f95503e46e717e8c21bb45b55438196448cb47baefa74b8e7ac1c8df6f1f477cc7e34ad08b43538e45bcd29dea675ef3fd5cd526bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f7457cf652865df01a872bcd91779a9

SHA1
368a2ba3fb3a49d68a762f0b4faa5472f21a9d41

SHA256
0446ff2ecce6b8ce087fd6cac2afbbf6c5b6b336487a53b43da5e34134ee8499

SHA512
9a2f03137a901a8aa62ce4eb10bd96cee3c619fd01edcbbc51384f9234fa9f8253001e0b334c9fcaa911b1e9e7000061754acca56baaec2424b602fe1a09eaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cc8b33d16ab2c62a1d334cfd52a5fdaa

SHA1
0b7bbacd0992aa0b6b58d56bf22cee54dc159d15

SHA256
89eae48fb167044cfe89d086ae9ff292781666a492af384fb90eac39d2d6ca0d

SHA512
2b060b4d3273e1ffa3bfb4f0a26c3066224b1380297bdb48af9dc76261164cfede1354c8199cc926d50d0b660b4de756d8c9ce15333b1899deb506422589a128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07178855e188ca589bc33808f57e2fe0

SHA1
7e2d04361ada5392cc7e1d46ed33df6437d376d4

SHA256
d660c1aea5faa328c8db9dfe946fa4bce4930d1e6195a1b8a2abc536ba43ef13

SHA512
177481290ad25e8cb15fe884109c396fdf7c23169394ce9e4ab1b4092063d6fd67c4a08e1129f9d3720729881a1b40e04037e11bb82cf066a5061d8bb16af0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdc9132c11d761d35f922d3398ffa3be

SHA1
a324f5c3fd081f6b3688f17d3cd427039be76f1c

SHA256
b34c26a353b705962e6e9f42518fb381b9c38b1d7b8bf75615df3363b2cc577d

SHA512
7029180d397f8ed76f6b1d4a602fa8142fd2ef6caa36df3bbc86ef9ae053ac96238771eae3a14009573ea153f54e3c27cc1ceef67ad4a7206b883674e109e902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d5958890578f518cf051d2733a02ee38

SHA1
a50e66d24e189e7c596c6d0a39bed4b54f66793d

SHA256
8db3bf127b591c27e24649f0265f46370eedff156264ffc46c676a332bdde493

SHA512
820555bf8c8dc812833fd65fa47e587b77b81814635b22b128ee81f371e40ba97c75c2ca45d4d2b170f82d62f8ae25e783afa343ffd19fd47af6c9a502a5f106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598b00.TMP

Filesize
536B

MD5
92411e2f3a08ee9e929455b121fa9585

SHA1
af137fe7a93642013451750755ec8f279343df53

SHA256
3f06888adcd2be6b69af89efc632b1f99ed96425fcbcb20df375eef7256bb87a

SHA512
049657a5ddb690c72be0f756efd1f253a28277a8a758f460375971883226efbdaee12b9740500d4a502ab72a2335e5d97d3e98d7096a15aaaed8cbf68412a95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000a

Filesize
17KB

MD5
913728da90cf90d8e78af59c60b47c3d

SHA1
f42f2a545d4fcaf4f76d0f060f52e33a47df7f1e

SHA256
b0b478f9aa6aaf8d5811e296047ae1f8ee07f4c4998fe9d7b960755ea1fafb82

SHA512
3af86e053dd56aef03e6f967a49b1a0d492616a71e2e49090e0c8e5cbe58ff37ccc55e91f06bf34096059a49f3de84b0bca587f3f17c366f97c0f7a0fd17c974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c20b94ba7d605704572b53c78dcd1f6

SHA1
d47f6bce50f2a30a94a0d59f311ba4d6865df9f2

SHA256
c486eefb8a11d279849b4e6e747c58f203d06f1a69314a3c6c296ed753406cf1

SHA512
44e5f629431dbea1c609e251cc071a32e5826a3b05a3d22abba802d7554a9c1d8e8da8ea5ce19de3dac0c08e555ef97100a35f7a376c67b6a7b0241ff12dca2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
15f65fc24993c0e4039a0983dc04681b

SHA1
7130a119bf7b731221a81dd207a65a425464a827

SHA256
844d76e57a34648dda800e47a643c9fb28f66274b8463c0256d030b3a7f7e817

SHA512
2e71d9b47585e9afd3f5c3dde1b8922d6fe7946a1f124fa507b58d706c52eb7e855b04cafb49aa75d360445bc9e034da40abec48e0c2604566d6619dec608f75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
c6d9cd6e70a2c8e4056c475396fc456d

SHA1
7e8527085d5cf90989e7f6e8a4fa9fbe56d124ba

SHA256
b2bc6b2526fbfa6bdf342caad29d222cff0807fd7f16475d023d59a509ce6b9f

SHA512
5ce1b6adb3ede9af161908034ee1aa2d94d6864b6197ee388807dcb78b69912bee2394bcb652dcedc2b4729a1ab8ff2b53936ef76c340bf72a0915d8289eb60f

Download Submit