c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

Resubmissions

17-11-2024 19:15

241117-xyamaawhjn 8

17-11-2024 19:03

241117-xqtp7awfpq 3

15-11-2024 07:15

241115-h3byks1bka 8

Analysis

max time kernel
2013s
max time network
2003s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

978KB
MD5

bbf15e65d4e3c3580fc54adf1be95201
SHA1

79091be8f7f7a6e66669b6a38e494cf7a62b5117
SHA256

c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304
SHA512

9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355
SSDEEP

24576:4Fa9OUi2VoN2gZ1M8UQag3BXrYZt+GgGTfG74T+TRcL:Z9OUiTN2gZ1MExEZkkf+4TARg

Score

8^/10

steam discovery phishing

Malware Config

Signatures

Downloads MZ/PE file
Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 597248.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
4004	msedge.exe
4004	msedge.exe
4668	identity_helper.exe
4668	identity_helper.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4620	4004	msedge.exe	100
PID 4004 wrote to memory of 4620	4004	msedge.exe	100
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 4848	4004	msedge.exe	101
PID 4004 wrote to memory of 1640	4004	msedge.exe	102
PID 4004 wrote to memory of 1640	4004	msedge.exe	102
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103
PID 4004 wrote to memory of 2364	4004	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff960a46f8,0x7fff960a4708,0x7fff960a4718
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7934670871985065187,2839971081785399902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6488 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
eda661ab789f341f8d744210f04e0f5e

SHA1
8bbab0e635c459fc03df7b1b118664558d64951e

SHA256
506336a33cfd8f33ef3438bed1402b19313074f10d98f2790d8d7b7cb1f0c3dd

SHA512
6ba9f5ee64b4d7acffbffda749657af4c5f000921af54c4b24ec2dbccc57f73b627ec712c86b64e6fe70d00bdb64f9248942dc6c95f94823442051b4d492f862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
807B

MD5
ad7e30904e1e154bdde8f8926adb91cf

SHA1
7b5144baf47395adb294255cdffa7613c14cafeb

SHA256
5cea31f99a8e77bbacc5cf7741c1e8ccbc0388236b66ac110950896bc3bd2a54

SHA512
68dd516cea68a7107ca9bd2b90b1d1d1b7e56c797d0e15c04a12ba89f3d15dabe78a7a6db5a22b2d461e860872a9114bd2f3c8884745edb68e6361a855335193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fb42e8f52bbe0e7c4273216e6f1629a

SHA1
95b5acf442944ac33549d28b817a33f87d560a4e

SHA256
afee2d87dbf69782400498ed14125885a3d1eef4d062a9c4bfc23f2219c2b042

SHA512
3f648403fc0d858073c7910f7ee48fc248306f8867280c08f7b32aa0935cb96a3e8a02409ece5205d9ea906efd9729f1f2c4aac2c0a3a49c6f1fb8ccd5dd211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc1ba97cb744cc87ef1795ef08869efa

SHA1
85bebcf6252c29c6cb22f4b7940a1ac2b3765f43

SHA256
0d6c623bfa301e12fc0eb9022093685d8c3c6f4f28f8afaa19fde59bca4744c2

SHA512
5bf3ff0a98c1baba8ed23188b63a1537af2882d2d135995f9ca50e2c67fd130420f460b4f962ab190cdfaf4d54d753213038e1b19a9977b3335f5b17cec1dfbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f6c832c0a785e9852e7fce87642add8

SHA1
4889980f3db870a747d869a8fad382afdf8c6b5d

SHA256
dbcfa25b2abcc77dc8d70d10c8c3ab8bf2dae6ace47821650b8c8d09c0a2ab6a

SHA512
e19b79485e40673cfe2ac56db98da6f8b3f627accebed320d854fecec335fcd10870068bc34c23a67d23720e1a98acf6d8afd268c34f127ed9e419a24d7e5d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
7a02b22d93f904a90a723aba38eee445

SHA1
8d2dff6aab63fcf5b05d160177c3e87d3efb5a50

SHA256
25090b745913d0775382bf9f22c0b6a87230c0d398388714e15d39e09c27b958

SHA512
b806be5efb68d5aa7e44704c1adfddf58eac7f76058ed6ee94fa19924fef6968d38b77defeef6435afaf3e47c1e9d1ccd87a7eb52cac634adcc5d39072ddbeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
879866c63e59c893edfa6ec67fbec596

SHA1
52026f384ab3f4d154cd69a716621c7a5e23f9a1

SHA256
12716ffb5fa9bf1ce3dd79bf56cf982f4a3f77eec04451201e87174835b6871e

SHA512
a8bbcb5b532d4b5359be9304cc2083870b5949caed56fe92f1355236646a1ea6cf360639659d1bf9e26ba8b3450f4ac0acaae850b99c73b84d52f312b7da0c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
33fcec4184913c7de711701392e06246

SHA1
f4f2fa36cf2a62f6d70f8aa33ca49075ffc7919c

SHA256
ad426e290a4bd98e84dcd122d8bbfc9d15cf671c7af4b2e09cb4a4d1ab8a24c4

SHA512
7a7adedbc0148c6cf13fccad4db23840f18246a4b389042fe782ca3f73144cff667e3fd97e15f7f10eb2d28c8cc7053d1d95fa08febbf3f08fd4028985e13302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58df5f.TMP

Filesize
538B

MD5
91b617172095451782a42c2dbe9d56d9

SHA1
4f6bc71f29ae1be85c3e70eb91f126856dac5d54

SHA256
a261c419e9fdfa0432c90cb0a020aba2da9b2ade0537a3602a9238e18a508814

SHA512
402f6e4a9f3dfd984dd419a088905b144548eab8ae9649865cb9c2c5c26b9b3e08e40c261b071a9a1f769e9acbda8af852d35b553f81ac729ef979701ed10b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a4313ca8-5186-4a0c-b7c1-181abebbf643.tmp

Filesize
6KB

MD5
007f3898c2a9c6de153e3dd10ec0c0a9

SHA1
80430ed1c1fa63aa4bff686754384cdb58d7acba

SHA256
1591ada4aec106997f4a4a76f08fe1fc375bb2b84de6cb20b1336184bd9071a9

SHA512
a3b06a28b044d855a1b78a378714ef638dec98ef407040c40535f86b6ce177be6c65d27b48844253e941adc689d026f60f042ce4ed3f0003b9000a8375fef172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
746aed48e30b1f4a8a4a019e583653f7

SHA1
7b6ff2bb8b3b9e4e1e2b90a54fb61535034aee6f

SHA256
8ba28f2a9938cb0476fe5463c0870d65b66cac16d16f80e68201210b98f54575

SHA512
31d3286f784e7ccb2bcc0c47d826459206957c01eb79321dd28922e32bbfd2568e55c8ca5533465d6885a202225ce0f15a2ec4c3c1bd4aa775a1db4b981202b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e90975f3fe63f43b46bb562c1cfe4086

SHA1
c0b33e6a92e2397b016b2e80009036aa995514f5

SHA256
fc70fab70fdd88f1578e69eb8b13b3ce94096135d0d96e7a3ab3f47acea10091

SHA512
1f8d1688eea59f0a33e698563724b5229d5429d34c9fe5fde1403f2d4dd354cd440e71828e32f8ca34ee333e691bfad4fd170a7198dcc672c62f0b41b65baa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27c0cd7fb99e67be421080ad23fdc1e7

SHA1
d7589f5f83ebfff6ea6dc8c47f869f9974abdc6d

SHA256
dc6f007e14ca339a9b518f39b3cb303b753782fb6589390673a1e8390249a0ca

SHA512
459a5214b29dfa61cb1bbc1e7a5b0dacc3cffabc3f5825b714c676a3f26c20c876032dddc5caf09039044a81d51d30d73fdebd5c82bb217f62baf2d6369781b3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 597248.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit