hxxps://sourceforge[.]net/projects/subsystemloic/files/latest/download

Analysis

max time kernel
108s
max time network
109s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/10/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sourceforge.net/projects/subsystemloic/files/latest/download

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5004	JavaLOIC.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	discord.com
2165	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ipapi.co
2097	ipapi.co

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	8	https://sourceforge.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8d1af3049d557702	3

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\JavaLOIC.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaLOIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\JavaLOIC.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 398824.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
1552	msedge.exe
1552	msedge.exe
1460	msedge.exe
1460	msedge.exe
2096	identity_helper.exe
2096	identity_helper.exe
2404	msedge.exe
2404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4712	javaw.exe
4712	javaw.exe
4712	javaw.exe
4712	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4100	1552	msedge.exe	81
PID 1552 wrote to memory of 4100	1552	msedge.exe	81
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 224	1552	msedge.exe	82
PID 1552 wrote to memory of 2320	1552	msedge.exe	83
PID 1552 wrote to memory of 2320	1552	msedge.exe	83
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84
PID 1552 wrote to memory of 2420	1552	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sourceforge.net/projects/subsystemloic/files/latest/download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa3c4a3cb8,0x7ffa3c4a3cc8,0x7ffa3c4a3cd8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Users\Admin\Downloads\JavaLOIC.exe
  "C:\Users\Admin\Downloads\JavaLOIC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\JavaLOIC.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://javaloic.sourceforge.net/
      4⤵
      PID:3056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa3c4a3cb8,0x7ffa3c4a3cc8,0x7ffa3c4a3cd8
        5⤵
        
        PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9297970099278753968,11330482185118204864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
62KB

MD5
c77af4a65770062835ee61479e4cddac

SHA1
00bd27cbcfc7ee0cd8dd6d2ee37f6339b347513a

SHA256
51ca4d1039c185166c08a7e69fbf3c3f414f0a26da07cc992ac0f39817943b97

SHA512
d1c5068fb469880b666c02983847d5ddd8b09ba6e58f8164e022cf6a25303e8cacc16adc5f6f1d573705f4ea937e713d4b087b1d8ded1380f68d2ae400780170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
9adcce027b51982c936b7fd8db2306af

SHA1
b1d523bb87a284048789393507548c29141c2b83

SHA256
9843f43067900ae77aa936cac8ea2c4fdcd44844a30be97252e121f700954650

SHA512
e6bd01f3767d5d67bc5628e9e6afc14ef8ab816b84fac07cf4b746ad5b307c1828d1e966a14dfb9f62dd0898c8c806c2691a8333284acabb2dfc528b5d146b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
f4516b864fb8eebb2b3ca92e966279eb

SHA1
1019aa9febf4ac04c79ba36fb7e06673591f965c

SHA256
f61748bf304034e0bf5351b681af8377d2cb77914f8fb007ba16a518414d0561

SHA512
694135559877a6ab53e5197372fb9fe6e8084ea7d8f9f144125286a3dbe6853ddd7671661db3f6a4db5ee32695075daf3797dae54ffdb843390acbd1cb2834c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
60491213ef45956b61dde4c06dc797ad

SHA1
7f419108004a1ed18c9ed4c87dd524950b7f3d3e

SHA256
1e5cc2f62b49007e486d8aca06fb91fbdc0bd4f91e0359f397736fe6e2c688d4

SHA512
5d4a0a63c9afabb57940e34b6d96b0ca2e26bc3a5fb0641817f3dc9de0f362e94f33827daf96bca15ba9e3f8ea5231921913f3a336e3004a910bc698951c2405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a590eca577e305337d428323b5e4f968

SHA1
18ccd2c5fd3d0806ad32b1f23d1802fefa85f70e

SHA256
17c6935cd607438ae4d0b446b0c1cbd577bf978bd8f2f326e05f4e9864a82bfc

SHA512
282523990833773e50c60f567fcf13e1ddc20155345b179d606d35df856ab855cb4f4400992488f3cdc41c9f0195eb90cc9729b2f0f112007d92a9819e87f301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9760bf28f147ecf13ad362e2afa9a246

SHA1
6d173c9365059d4bfe04d0941bdc05a910b02dda

SHA256
ee0e555fa2a5d8cc3a3039a9e29b368f95557b0e7d78ee8c7ff6665e37db23dc

SHA512
e9935a160c683f8db5f62734e3cacfc53fd4778202f1d4a7b2b5202c99b06b1f7ffc3b62186a23ae5d0508727eb252c682003c8c91db3c97948638615b616afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c5bcfdf352838f5628c50539ec73a92f

SHA1
0f6b28ef8d51d7217bc5964d5c359491aaa541bc

SHA256
496fa18cc2acdff95c3b253202f54525120e3db53f8f05e3b5ca965bc3624128

SHA512
a509240ff20e7477ecc56d12a3c536c33114ef95f22adc82cc2b1ce2e7382e8c9688aafce31002413f7fd0886ed6077c62953b23b30e4a15ba12492f51b60d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
07b02b4925a1c83f5730699fd845b9c8

SHA1
1dd88c951a289a193978e535a7734010d3612812

SHA256
a859dbbfa8962fab8957478da18c2b7568b2f6a1d6c909c5cae039f91025cb1d

SHA512
670b4a1678989af0a419f1353f6298dffe8b8c9132116fd3ca6d80280434319825954731bf5acb21b1daf55cc1c888a86179868b5d4b9c7122ec60766c970c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b05445f478cd18e21abcd47b5b163016

SHA1
45fc5e9c92cb270da8f6a3ee228b465950753425

SHA256
8467ac174952b08d8b7ddf8c86d4c07c9e959d9da730a63153dcaf61b9d996d1

SHA512
df335ecad6e45d8a1c1bb13d52d1356544cdbbea5b3cee06e127438c6e24436b882a82a3f676f316cd6902bc05363d6cc124c6cfc4d06c934956d09db5e0f757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
8895d81fdb037e1d5e18c4575ca8a23c

SHA1
25eb20d6315cac1903b827f06aa49738af4f8cc0

SHA256
5665a47e28b94d4c50fcb4d3ef75213d73cad70835dc0ac592bbb01184fd9519

SHA512
472a8b35692dc8d70322560e37beee1cdccd7fd8c2e76b0a6859cf8a670758fdf4266e380da47024a80a29ddce5be2a391fd3a27ab1919f39557d9bd5077163a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
b5c450f768041dedc5efa50157d4ca16

SHA1
db10967efe6bcc2a5bb73a33a42d16ca320731da

SHA256
b135f066fb3ffc5382e9aa3a71dddbbea23f4ce992097b4f6e21eb3fcf173a0f

SHA512
6ac8ae9b7c8d1cd39fde399103c505a21298a16f34e66eb801df942fb7f5f945c2700a8484291dd6eb50d8f478796ed5aeda23fad10578161bab82478a48b44d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b65b.TMP

Filesize
538B

MD5
959611253cf48f13160601c2131f8540

SHA1
48a685502226e61286d3c35c96cc6090f1a0e524

SHA256
13c47335bf4ec5762e968b16615d0d28777de3dc069b7010f45f5f6ab2bd523f

SHA512
8aac1fbb9c5578a06be86a0263744e3f9dd86394ea96a48e2d42d3808566f420e7560c96c4b50a68842becc3ef99aafc0696f3d20109bc578f8063e042b2a64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ae10a345b095b65e128ba510286c96f1

SHA1
217ed5baba0d7aa1d3d8676679cc2621a18375c7

SHA256
c211b6ce3897b1bdc82fde74bc884276c9b320c999670b58619047fb2cae40fe

SHA512
acda633eca9a67f9a737f4ac4e5f7cd4f22608fe4d77dc5c4e0701db724c6d75f0226e31024486c859da21ccf74b31304413be63de22cedaca42fb4142d987ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0415eab30a2b2f1762aaa87d567028ba

SHA1
69dcfb4c738f6b559f553d73a1e4bbf988e3c9a9

SHA256
110e2d03f54f2bfe0224b588df020d6775c6b47bb20848ae1eb3d22450c77e09

SHA512
f137a2b42e3f561134fc8aa4f40ba18360457ea327348ba478f750ed52f2bf5e6852976975204a8644f704e24ba40c16e1d8c5e6d51c0d31178c8a66297d4610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ccca6beae5bb00e8d4cfe21acdc8238

SHA1
6a13a171ed78d9eeb34e8bd31fbc0b137df6d4b1

SHA256
90e9b5d93a1d2131c8645774a2a7866b11222fa9cf62117315c7a61b22b226d6

SHA512
5f911f499890c11b9cd6654370671c8a8b5652ec7f6446d8a623ed41cfc0cd9f7165b86200aa2427c275721a796beecef5f9d4e328272e08de5ae72a58d66d12

Download Submit
C:\Users\Admin\Downloads\JavaLOIC.exe:Zone.Identifier

Filesize
150B

MD5
90794edc72b22a5d2cd3d1ab5e4d9db4

SHA1
7b452ea5a52188245294643385cbdeeef25db4ec

SHA256
d1feb15fbdd7804134d55030f7181362c982fdaf293253a09c4d5c3f2f853293

SHA512
e79e95e2cb136c5ff2bda575320f5397d451ea36f844b54b1d26793f976edff46b9450992f56a1b0f3cb3584134e13f049bfb3d4848cf497839c29f41f27673c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 398824.crdownload

Filesize
371KB

MD5
bc8c3b4023ce8435c1ed213b05e031c9

SHA1
a6e9dcd0e225317cdc478043afbe1a0c745ab391

SHA256
2156969ef48bf7a55e1daf04f9c1ea2ca0a6827ad7ed3c608feb8c348f3db4d9

SHA512
5e5f66828870e8b20ff25cb8373056030f9ce13f12262eca6c211eb274587af4521375392935012dab07faffd3ade4d66e57005bd3337d3e246d1bc70e33b23d

Download Submit
memory/4712-347-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-374-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-373-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-375-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-384-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-382-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-380-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-379-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-378-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-377-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-376-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-361-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-328-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-327-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-318-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-272-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-271-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-213-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-210-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/4712-187-0x0000023F90650000-0x0000023F90651000-memory.dmp

Filesize
4KB

Download
memory/5004-170-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download