hxxp://discord[.]com

Analysis

max time kernel
185s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
14	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
4668	msedge.exe
4668	msedge.exe
2404	identity_helper.exe
2404	identity_helper.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3960	Process not Found
400	Process not Found
3956	Process not Found
1756	Process not Found
1732	Process not Found
3608	Process not Found
4324	Process not Found
2072	Process not Found
4356	Process not Found
3472	Process not Found
1128	Process not Found
1168	Process not Found
1108	Process not Found
2512	Process not Found
996	Process not Found
3344	Process not Found
336	Process not Found
852	Process not Found
2680	Process not Found
4608	Process not Found
1752	Process not Found
1572	Process not Found
1528	Process not Found
2932	Process not Found
4248	Process not Found
3980	Process not Found
472	Process not Found
688	Process not Found
1216	Process not Found
4264	Process not Found
1712	Process not Found
1796	Process not Found
4312	Process not Found
1260	Process not Found
956	Process not Found
3836	Process not Found
1040	Process not Found
3324	Process not Found
824	Process not Found
872	Process not Found
3816	Process not Found
3904	Process not Found
3892	Process not Found
4068	Process not Found
2372	Process not Found
3864	Process not Found
180	Process not Found
2396	Process not Found
4888	Process not Found
1792	Process not Found
1956	Process not Found
4296	Process not Found
2404	Process not Found
2572	Process not Found
1180	Process not Found
1156	Process not Found
1008	Process not Found
732	Process not Found
3468	Process not Found
3972	Process not Found
4308	Process not Found
3888	Process not Found
656	Process not Found
4344	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	3104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3104	AUDIODG.EXE
Token: SeDebugPrivilege	1628	taskmgr.exe
Token: SeSystemProfilePrivilege	1628	taskmgr.exe
Token: SeCreateGlobalPrivilege	1628	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
216	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 3880	4668	msedge.exe	83
PID 4668 wrote to memory of 3880	4668	msedge.exe	83
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 4996	4668	msedge.exe	84
PID 4668 wrote to memory of 932	4668	msedge.exe	85
PID 4668 wrote to memory of 932	4668	msedge.exe	85
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86
PID 4668 wrote to memory of 3472	4668	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://discord.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4bdc46f8,0x7ffa4bdc4708,0x7ffa4bdc4718
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11952077139941887889,17348826888677051841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2376
- C:\Windows\system32\wininit.exe
  wininit
  2⤵
  PID:4356
- C:\Windows\system32\wininit.exe
  wininit
  2⤵
  PID:2900
- C:\Windows\system32\csrss.exe
  csrss
  2⤵
  PID:832
- C:\Windows\system32\wininit.exe
  wininit
  2⤵
  PID:4008
- C:\Windows\system32\wininit.exe
  wininit
  2⤵
  PID:2784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3932

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1096

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4500

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
02962df9f1a16d9de1842f7f942334be

SHA1
e3c5ce02b800288f49b01b593a20a4940ee2ec15

SHA256
d4b70b3a754eb0dd4f35ccd00db524b340475fdf5094d5da23693926503018da

SHA512
01832d57159cbd9c25707c34756f82bd8548878547e66d72800c54344c3b418b8115c73310e5a062a16e9de05aacc1c67403592467fbdc4ead61059602f688bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c9d8ce566da1574dfd2ccae586f3492a

SHA1
d24f6ccb52ad177870455b301406b6578e97cc52

SHA256
15ea5b3702dd09201213896f53be7ad9c56f9c423f49ed882b94135946695403

SHA512
c76bb62cdad6f5d9625f67147138aac2ed4efd3b97db3716050a8e31031b83cf8905d0a9a90b5ee9bec4294a0cb94483431763e6449e3be4d18d16d0cece5061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5501caecc05c0f60cf1db2fe7109a805

SHA1
cf999c289869b6d01ce0129d3cfefb229ea38242

SHA256
f6a664f3075a4032d6d5b853735546973aa25f0aa032ea0ef7dba2494b1f3ffd

SHA512
4f8fca69f6f8fdfcc33efb90f011b6331e498e6e0a47940763f8090c35bd9ff1bed08aa6ffc2aaad37c09085ce2ff9240164ee90f20d860600c92647cb7e2a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
847a8aa33125a0ccb81a9a747f9b8b72

SHA1
42bc2b431b8a2a69eacb954086d2c006103b747e

SHA256
03fcc0c22cb0c546b5f2fe712d138ee941f13ada28abdbb099dbc208e6158b4e

SHA512
92bd7132f3e12c04a0e9232283e2fe2b5d6e7380bda7ce7db09b2dff6871c75de67a7161607434627dfba6f7d827f0e1e915c4f95a577ae1cc2dca76a1c01f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b72461d0106f55b82c0d45ce6d6813a

SHA1
735d721b70e41a256a1f57209eedcee6d5c37528

SHA256
165b0fe6a069474a3cb988812322e78c1293f7a5b0451a192996a31b918761e1

SHA512
c32e344cc74e1d3d16fc00f14ce2d06086e67922f5ad13f44cf49064035500d7f7b7badce25e3326bfa0d77694ff1ad59bc39fda010f72e748026e3e52c31650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70492ba068eab67afc8793e6226197cb

SHA1
5175613e90498e8d725650400c2d00d5ea69fcc2

SHA256
83b74975214e8d55edac1a3c93fe19ef330483dc725ddf437b8de82f6b61d2e4

SHA512
cc39d50816451c8d1e45b17058f8b19a1c5af8d5c8efc2181e1ea565b2948f64075d78f3ca33b183a32c02c47fafb64005c929c7bf44a191f2a9c5b138934d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eceac589836c7baee1e67cfd781eb181

SHA1
6fdec32d1fc911eca694169a5f6cb2c48cca9848

SHA256
d805578b0e4bc6d97103d278e8775e7c836a0eabe0e828f9a62af73be5412afc

SHA512
914c85321e27e56270d222a817262a3845b23f7c77132696056ea369192382810868f823a7a80205920ca13a94b3e145f993628e86a7875abe753e309055a294

Download Submit
memory/1628-305-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-306-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-307-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-311-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-317-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-316-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-315-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-314-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-312-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download
memory/1628-313-0x0000024E5B4E0000-0x0000024E5B4E1000-memory.dmp

Filesize
4KB

Download