hxxps://steamcommunity[.]com/app/2972800

Analysis

max time kernel
300s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-10-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunity.com/app/2972800

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
380	msedge.exe
380	msedge.exe
4600	identity_helper.exe
4600	identity_helper.exe
1704	msedge.exe
1704	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2420 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2420 AUDIODG.EXE

description	pid	process
Token: 33	2420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2420	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 380 wrote to memory of 3788	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3788	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3780	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 1572	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 1572	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe
PID 380 wrote to memory of 3256	380	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://steamcommunity.com/app/2972800
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe59763cb8,0x7ffe59763cc8,0x7ffe59763cd8
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
2⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
2⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6644 /prefetch:8
2⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,1720593900725897107,11012028113357491328,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1164 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
45886a6a9aace3fad669a79bc3191ce5

SHA1
c24b4a569c0fee533ca9db199feea061ccda03f9

SHA256
99d8caa7d664ce601c1e90e2b94cd63c6c5ff70f3d9871223f356f89341a43a5

SHA512
2dfc402d0c3f39bac280ea49bcbf9edcf7d849c23ab97422ddc0c46d2a18250e90bc66a6a407e437defa1eff3ea745ea657fc2a21f6211525e35a560a31c59ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
71KB

MD5
e70228eab135f1ae1bbf0b59c377762a

SHA1
d7391fc9ac4898fcee740d74cc1205fb616b4b59

SHA256
c0c32d95ffe02b09c4f18ec9155f5ad2827c774fb4a5ea9b19bd75d1f2099246

SHA512
791177b26b1ab75ebe7c4e1d252ddc637813ffdf938e9d6ee378c7745ab20623e0f9a4629218593388fa88807a3bf9c0967060afc2b07c97687b0d092143e2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
54KB

MD5
30cdeefcd7b4276ed898938660ec9e08

SHA1
f15d502026a12e6fff5f6ac89d75b243236afb28

SHA256
03e39ccb8b5d1d7529b000e327859dd85244ca5aafb7c5e36699413c53d23a24

SHA512
0492cf57ccbce9516e4e44f9a87b6d0aa917f5e7d106f69089762d56ad8e23af777ba81446732c29a667cd1490af65fd4621f360de4f2901297d6dfe1c744251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
39KB

MD5
d285b525b70a051564f76ca71504e368

SHA1
333744cde9de37b4936c98e90f5a38b1d90af845

SHA256
bce39f57831630e2ac08ef2cc9bcb6cf6395149ebe4c487bd136cf8881591637

SHA512
5739f18afd9c2f07723e4e1ed9526d90ac2e541284a57efc51b464e0eb3f9ac7ebb58304d453d300e98110efb881ef0d3f8673847f01162bca0b02290c1cdfdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
17KB

MD5
52278bdac5d19b84c5e18f6dd7bc8ea0

SHA1
50e8a387a2d3f8fabd90c6daf771325a1a308831

SHA256
8fdd303ceea08b4c16d16956ca57320cce73ce54b5670381042c7694c1bb52cb

SHA512
cca2e8846f04241772ec700e0aa02bbe54160bfe98f28ea25f671d15733623be86e9b969631ec6210abff706d300ed4e8a5e3e8fbbe1e52bafd6922b5adbead7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000af

Filesize
1.7MB

MD5
d1895a5317927c903fc6db86439aa7c1

SHA1
ae8bf82490d692e0a56039d7d2c8c4b1643174d2

SHA256
9f6a13bcba30e79854b62ca703a248b2f140380a456e1e8c2d49ba28960722d9

SHA512
59be1e874d8219fe05326f1f6cc40e706a82a1231b16104a69b7969c80f00ff4b0a000ac73cc866fbf3bf954214db7a2ece980b7189e433d7860b845260e0dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0eab3e5bda56a3ca4eb1fbbfc59eb537

SHA1
cee3fe8fb4c56e259f9288c7ada6be5b092dc610

SHA256
11a6ecb6e13a91cf17d8f939957d6be30f4d193effd561003122f3b960cf2859

SHA512
e78ade7d7ad670a040bfe6f67bc38a22c8d56fd9d9e7f4d4f91abec4f1c97ea3d91c9537610a66f2d4a4047e790de5db8150cbfdd00ab1bdbbd93f24ce0ef34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
f31e2b1804901f6cb2ebec3296e179d1

SHA1
ebf052e1dace8abb8643368ee92284d55f517b63

SHA256
b6aca38eaf55c4ac3c456b496b2893826383d702359d466079646c72e68fc2dd

SHA512
3fae11156cc247dd77c3d2d988b1864c2ac97fca5770628fe6579add7d87825a941a1ae2bc9dc77fdedba6623247542776ac5e774063139fa53c58c46695d7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bb41a933d44de9a4d6e91e989074384f

SHA1
119b5dd8e27c570122f0b27cb5ace418391ef6ff

SHA256
3acec8d07c56778f49af8d3c210a17d6cff91752cc668cc50b46bf01e1ebf522

SHA512
9d317aa4d99b25d249f65463c1fbc0a9255c5b801d88b07d99035d36159ae3a145ea25c375248cc554183bdff1144365e3f90a082d65e072dc1e20a4f8bd464c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
478cb751e21d477f9f5c968bd729f1c6

SHA1
af4c89a8f0fec09fb9ab7b0051c76ff762b361d3

SHA256
0b1e88157859b1b14f40bc507f8b8bd0101d66c43ba06c6f77599d8c2c3ca476

SHA512
f8a93a8d04b477d47763d21340943e6a9528ce52e56eb24ee3a44be7d2273d825ab0edd8583d97939c0c5e9df39839451730c3c7fa4566221ec375c5534bdfdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ddab3f6c69bcec11545a9ca10677d49a

SHA1
9ff158535c58f1d79a181d543a27bfc20ed98de3

SHA256
a123947ad599c62741a56214e9a957d4e5c0f92dd9592abd91900e3266d8b673

SHA512
5e44e3ebd74ac3f71612f3d3c502a3b7b9bf4c907604c561e7e99db77bee4368f103e67e09c27b629fac5019b48f69587c003e57c07f430578f98f60a4f0fabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af750d4d4cfdef98d889dac8d1ea0878

SHA1
20854ef3c8ab1fffcbb8123fb5745666c778748e

SHA256
01f3e0a5fb90c271c7f4f7eb3eb0903ee107f7aa56019dcc842949aece945519

SHA512
7c0ae3f5edb19e20463535e1d5ac942a1e1291d85300399f4628abb535c98d7f9d62566e7c782f3e0d3ed7a55f28e4cd8ae6d779225cbd9e08d3157113c53491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
621fd8a845b07988032c8c63544302d6

SHA1
a8dc75428779dcc5ebac534bdb317b836bb85c3d

SHA256
7cdd174468428c8dcd2460c0998c514addab4edb2fdffebec06c377dbbf17ba0

SHA512
de0ffc4c94d33e565d423a749a1af5c59087213b3f1a537871fdb3751c9981fe9e207cb7ce719a0f7740ce84c1f8853dc88e3884b1f21002efbe1cbfb68bc305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea399ff266ad1f7f44b3071bf19670f3

SHA1
20ca02ffb44900e8fd2f3aa482eadd21c1f203bf

SHA256
e55fcf49e7016bb0b64667cfc4181edd8cd8869e19da558c8227598a2f54f647

SHA512
ac8df3c5f926a236ac6b2ba23d6311c4086434679196fae70c8bfcda919bfb787f72f25c3c3b8fc0b63214931c11bb577599d8ff7d6dbf68c9425c15c449fa87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9e348ded6502e346927926b3a7bdff5

SHA1
58c127b69b79139fa18f36cbc8dad6e5b723cda0

SHA256
f035ded0410dff8f4fa70af4c7f18584138d472192dec62055eebd78cd080e58

SHA512
3ccf7b51964f38d09fda9560ce0a219d8d1f13c166631bd5d79a1d72b259ecf62aa992a5fb7ce38ac6aa1b96b412f17a581ea39473375db25c178c075c8ccf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1c29f8d4acd20301895f505dd794151

SHA1
8ef8146a153f0e6af4ab168a84bb852730103c38

SHA256
b2cba72bf7f52245599dd2f4c8ccaf7d7872170db6cede8af3690bc91920b516

SHA512
96e4a1c1265a87d65dbb59b25813c40c90eb4962a17454900a6d2da5a8a9731ed6959365a1ed7250db34d9bc9b7f27c803b8c287e2e22c6a19503fc5ac474a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a6a33c36f9ae5ef29cc45fd7c88e6a0c73e1c12f\index.txt

Filesize
89B

MD5
100dcaa7ff874f7968c7232781fd9309

SHA1
10f34c1faf9b1bbbf929054a4bf2e9868d0c5a11

SHA256
b8d38b40385639dd89094992275cd51c9d40381889e2b4ef4534942f884e0570

SHA512
6bbd0173c2fec1ac96a295205512badc30a1bd3fe546abd52bb2f9514483a664d8915cca6444eed639ef7da0ffd5354fc1956744ed5b1cb1fc7899d3bf8cd9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a6a33c36f9ae5ef29cc45fd7c88e6a0c73e1c12f\index.txt~RFe5902b5.TMP

Filesize
96B

MD5
aef57dd69b78156211e54be55ddf5ffb

SHA1
8f260bf47a338f7e9aed9c5632c1231e37fd23eb

SHA256
a1244b148c07009f4209ed54a40dafa2a57ad4ad751e890d93f9ac7c5673a1bf

SHA512
95516130d29b3a7f6ce8be21959e4c5a293a096c46a62a94eab9ba7a0b6eb9f0e466be61adf4b6327dd54f5150ec131a107d5cbf649b52364e1a87da0599a797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
76215b494bf0b19bb8836c3a4ff34db5

SHA1
13aeb60e382f9bc1b8f6583fd4d8ca0d5e13adb7

SHA256
c68a0f20634fe6e2bb0c3f864fcfcfede141a7c6ba1ec970b8a20405404b9fe9

SHA512
ed2e59bbd459e442ed1c3b5f41d0301b434b012a02ad5bf86651db6006bbc0c967d4da8baadc67ff2c9f002b57ca636204e05f3ea24abb915de8f31484b95552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe590229.TMP

Filesize
48B

MD5
85261dcb13b19a3bd6abf4b562308953

SHA1
f3af54c9fa2c665a9f113155388ecf8a20cacbb1

SHA256
652ff48232153cd881685b4a5a26d705a68f1910ff0a8b0012c1c8573b2c0444

SHA512
cfda550dffe7d3952fe92c92013a3a257ef8127a426cf32b3cb12f093f33460e84de6112b0212c3c9ca05d0bbe038a84b7328ea9b40e37f5890fdbb39cb6f8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f5b58b23f71369729c922d8d258baf2e

SHA1
1a384de9585dbdad2deb192f67a521b6d3b4b30e

SHA256
1dc3a506a9c5f607d1a127eeec8de9e09b97ddfa782de143b5fd7e33547d20d3

SHA512
3b5d1a9db295fbba89f3e697fb03f52b9338c285750b2c1e6eb42f5bc4b62280f6d7efe64c5fdd92877d474b8a24f9515b9b1e06cee4feb082203c8071698a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
4ea2687f58e9c2b8abf48ff27770f5e0

SHA1
d671dbf04cabb05e3dc3763954a941e0702e289a

SHA256
4982ac622dcf4ff01d5af87774edae40acedb1ede441cdefe666e2a245747cab

SHA512
82d7f951064830b51d289bbf2ad9b3ae94bee5cc27201cbad039ba7d23a937594b6829765bd822086bed347930408294a98e99a4ea26cddc2abf0ecf62b55820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3d298cf607c5aa2791465b40c6209b7

SHA1
f784bc0d779a6629463ba3062ff1b1dd515a05bc

SHA256
b5fbd2f0f8da9efaee22218b436ba5e1a3b336247ea1cab6133cc23b164b854b

SHA512
6d5651f8c143a9368c6b3d47c6f6786bef1c9f9dbaa09669c09439c528d6f1306419832bf4b024910c5f1e8d2adcbde038b93387e8e7f43a0ace4703292f2e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
1e772e7b6f4f9fc61afd98f662f6376b

SHA1
99aaed9665c3c98109d2a95dd47e508e691c00a8

SHA256
91adc1925d2f34780b8e67e509a213fe370026147677a0aa7fedff3ea28c26db

SHA512
913d7656074c7edf972ad3487c3696536447cc9597e68d6dea1ff0aa14f89e3d9847373833a58f84f6adb2913da8cadfd8ac64660f966bc33634758c65cbcbcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f7ae.TMP

Filesize
372B

MD5
b59041c25daa89049924f815cb40e83c

SHA1
a425567ed55fafcb96a985c8888f3cc1b69914a6

SHA256
4e678705f87f7bca3ae5dec017f6b87ab1cc8f48a06f06c40e2918e62cb24bd1

SHA512
e240c321cd8b1c413c1c962b4cc786caeb5eea49091c351fadced0bbcb1813d7c04eb5e14eb5e33f5462bc1f929f759246dd0465e47d738358ff0b0d317ee06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03f69a64fde71af18b20f01e4190c7a7

SHA1
79bfff22c953b69fa2bc1622519358612a8cac56

SHA256
f93e56e931f89fbe22f946a3374ab045b26501b76c665dae4e67e5ad01b2cbb7

SHA512
79979f71bb0f9af5324d68d909a73ce7b318f675aa2c0e9d7e85419b44f14cc5a532bbf84d515432d103f531a89b0b554ce953b0fac6940039631ef277b62252

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_380_KJDICASNEATVMZJH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit