hxxps://mega[.]nz/folder/9i8XGTaR#YmcgLQQhWKCDsDjJ3IG-ug

Analysis

max time kernel
64s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/9i8XGTaR#YmcgLQQhWKCDsDjJ3IG-ug

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\ecprivate主要.zip:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\ecprivate主要.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
5688	msedge.exe
5688	msedge.exe
4780	msedge.exe
4780	msedge.exe
4292	identity_helper.exe
4292	identity_helper.exe
3672	msedge.exe
3672	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3212 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3212 AUDIODG.EXE

description	pid	process
Token: 33	3212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3212	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4780 wrote to memory of 5212	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 5212	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 3556	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 5688	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 5688	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 848	4780	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/9i8XGTaR#YmcgLQQhWKCDsDjJ3IG-ug
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa95033cb8,0x7ffa95033cc8,0x7ffa95033cd8
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15541135564330410859,16556323399329500007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
  2⤵
  PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\Temp1_ecprivate主要.zip\ecprivate主要\EC.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ecprivate主要.zip\ecprivate主要\EC.exe"
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\243e2ca8-dac4-450d-996a-d671c7df338c.tmp

Filesize
872B

MD5
e60c3fd6a5934915af0bf4e0e52faff5

SHA1
cd509c4191364abfc91eca0ec0f97660e21379be

SHA256
ca7c961c36bd5d5dccad1ca45b5df150edda3b5ad09d17e94ef4792b2c00ed2b

SHA512
275ae07a08ebe065227bb0545f2b9826a197c5781cc3f4582ad303f17ce1fe65d903532e34cb510f929268c59c2de99ba3a9d7d779f0c9fcced6302ed1bd4b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3df4cbbbd659a69166a4cc89053b0683

SHA1
131ba88b7845bd4e125e1e0838303adad65c21c6

SHA256
0e8534efa98de8bf30692761a7a5889960ef6a52a307a7349bd5e9777c5a749b

SHA512
09203825ee4c2b6aff444cd91151cfaf3bc8727fcc4cd44f790dfc7c9550414c5f7f42a715d70136feb9c914cce69de8dbd6a9d6a61f9734e232632fc5fa9259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a447cd72f17f28aa8ec08c97256c52ab

SHA1
8ec2b6fbe3ef6edc1044995473361771024f1594

SHA256
6024108c2ffb2500a93a5f721fd605934f82129a2a88a17d1f22d9f90db0b29a

SHA512
7cc47ebb3b771a88d62d129373f21f0edb952922e2ee93db0c7cfb742e580083110725b5369e6fbaa601edf7f0c9391813638f2905d0008b47ba3e27954be794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19a083124dfa8e994eee5b221c82dc4a

SHA1
213a7815ee97a035b0f8f33d9d7f1f450219e33d

SHA256
5057b9bb472c8d032386dd539375ee40e63f667dd1860fa75c5cc7e8b5435bc6

SHA512
1f54066bb15110127ab42270205105aabad8bf848a5e0a63ffe8fe52a7ee77809841aa66b8edf41b1aa41c26b6579d94d4ad24ed61f0e9b35698d3e46f1e069d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5406ead4fc0712ab1dcc5eff33960b54

SHA1
a08c653c04fabe12ecb2ac91d3e76d582f63a856

SHA256
a0214c8df56e0aa6942573732e2a27aadf7ef23044ee6b4945932afeff4c0302

SHA512
f2a5485c9253cb2b8b6df41d7e38ab2a0b1d9821e72c4786078501f699966348552f0b5bc87e89987f546df482ce1abb56ea5a711b94b305100bf79f9aedc39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75d9d50df9f80ad4e113842787d0adc5

SHA1
ee40bab9df3ae75bfc76b6dfd1e3dfa8398a3a1a

SHA256
ab6d943c9fe3a273c7cbfd5b7118bf4cb25f8a4dcc3fabe89b6fe616475b435f

SHA512
d3bed536b087e772067a96a5786682b3f19fd04a65dbe8750b183356e4bf8abdbdc3a83951583c1516663500453c2a00eefcf2dc7781be6944297dd00dd5182e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c701d66f0dd1cbdf05d451103edd8f9e

SHA1
64fec0c0c270d5f1135b159e2b948f1c3ad04461

SHA256
35a1e292fae92cbf7ace5ee43b32de6bce510e76f7515d33fb932c435dfcb57d

SHA512
c903302ada3eecf74def4d9c6e26133f094199a8eb498ff2b01bab5a41be6844a8c7d92f50281a510cf14c459eacf6448b80715527f5409fcb24edc757b153df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f28e.TMP

Filesize
48B

MD5
def41aa05ff5da591fefb1be87f75a97

SHA1
f31123de69a442ed4ed9f19feea1c887f3041c13

SHA256
f260b697b9dd4730f3a3eebf2714e36397252d91c35dfa452ade7c4778d80407

SHA512
a73c94d899a5c4c30f540c00cac24bb5808f159ef4708dbc2234b011ba855afd544d3f82961b6a3200401877137012f22fbc7a47c966fbc654041618870d06dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586d3c.TMP

Filesize
203B

MD5
49b9b6f509db4f0d046eef6f36d4eabf

SHA1
61cbbf3c5c3a078b7c8667c8c5f31a769a2c589f

SHA256
bf8af8c7417ca365cc8aed84d1f00b83add40e6dd5c0947220bd8349b5234c26

SHA512
3c3f63b7e81b35322fd7f3559f2c8a8eb5d0ee67973db44b3545c647c8c83aa66681372e20ca244a974d91279f36856cb3dd38500099d48ba1dac0f8c13320e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
332a417ff8803c061dffadf9cf2a7857

SHA1
86b52fcabc3fc568a9d2842248c609313dea9125

SHA256
b224938ad298e5b55470b4d49cfa60cd71b50dcb9f9e85101558be84318cf049

SHA512
9960425ffbefa812be0585fb9f790b96b403d119b3be968a5a08e821c55ab86f323af5520198ac4c0791d75676512be4e2dcadbb2e01f99a5d6e92075ea8ef90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5b93c0149292ea94ac06d526b91ee606

SHA1
9b07e32989fa9b8af5937f312b63f711b925981c

SHA256
7fb15c6845d9127c690974581bfc3b03e8a5854a5b2d988ee5f23b2bf11d9e61

SHA512
66fca3e7ad81256ffef2998bfe4b6967e413b3a8ea1ea925e2e812f013b1c89559050c94c54bfb6a950b616601eb7d90774bf18e8d92c072e86de3b23409dfc2

Download Submit
C:\Users\Admin\Downloads\ecprivate主要.zip

Filesize
16.4MB

MD5
027ff3c0d83ac19db61daf6257491648

SHA1
c0f4f65eb52fe3a5da80e6a9b139127fda6ba77a

SHA256
c1cb9e66c8c1029c5942cf86569ce71d09e551d307bd39b5d99aac99c58bf141

SHA512
d3cf8ed8348341b6800a61fcd44e3e026fc6c522d0bc8c15baad8a4f2dc6e098d3cbad88293a20cb1755081d6f864bb34ed7e946c72ec1f73fcce9fc765f9397

Download Submit
C:\Users\Admin\Downloads\ecprivate主要.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_4780_SMNJRAHWRUGJZUKK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit