hxxps://cdn[.]discordapp[.]com/attachments/1287504161193201675/1315434035392155748/Soundpad[.]exe?ex=675764e9&is=67561369&hm=5c9a68567c3a7a41294bb64e311cc0735ae3a7e98a6d9dc8afae5edd367023cf&

Analysis

max time kernel
131s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08/12/2024, 21:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1287504161193201675/1315434035392155748/Soundpad.exe?ex=675764e9&is=67561369&hm=5c9a68567c3a7a41294bb64e311cc0735ae3a7e98a6d9dc8afae5edd367023cf&

Score

8^/10

steam defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2020	Soundpad.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Soundpad.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 572427.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Soundpad.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
5048	msedge.exe
5048	msedge.exe
4028	msedge.exe
4028	msedge.exe
1708	identity_helper.exe
1708	identity_helper.exe
1528	msedge.exe
1528	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4128	5048	msedge.exe	78
PID 5048 wrote to memory of 4128	5048	msedge.exe	78
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 4508	5048	msedge.exe	79
PID 5048 wrote to memory of 1100	5048	msedge.exe	80
PID 5048 wrote to memory of 1100	5048	msedge.exe	80
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81
PID 5048 wrote to memory of 5032	5048	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1287504161193201675/1315434035392155748/Soundpad.exe?ex=675764e9&is=67561369&hm=5c9a68567c3a7a41294bb64e311cc0735ae3a7e98a6d9dc8afae5edd367023cf&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb50f93cb8,0x7ffb50f93cc8,0x7ffb50f93cd8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Users\Admin\Downloads\Soundpad.exe
  "C:\Users\Admin\Downloads\Soundpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=984 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,17160545225882723278,7648719820216428736,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5492 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1b1cad4ba6b0479b5b274984c2ad1384

SHA1
7fc8c85975fae39fb61711af1df7b3532027dea9

SHA256
a21b4c61f7b9adc687d8078b9f614aa951c58727e4b44b84b65510e925e932fd

SHA512
e72a1422f8199bd4561a2a7e60e5e08369592b478ee63215c6838caecd76c3b5bd9d9589319de179fcd7e08f05625f0a1b55e45c4973bc77ec89651a920c0ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
1de630bee6a79288e6fce0e01762f72e

SHA1
9b61c0c094b490e1decb23adbc75ea9b9563b59d

SHA256
981ba423dd414e78bd252b28976dda11ff9e651d32fe6791a4cc4d9ddf3d66ec

SHA512
02f572f708f8c8231af7b4daebac0f37dcaea11a8dd7555d96995d84c435a1fe444747fb5a31bc1c42766f071b9a2e1e268502dbb8b4c7eb1b61066d8e9f6f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
905119b7e2216866df1bcde7d838c73e

SHA1
ddeb132463d562a0f00d6865f61f4aa580f11999

SHA256
950d809b0bc6bd1989af516c9095edb4f393fe3f68e95f0de5a25f345339efca

SHA512
aa88972750b7598de86140a925b98aed98ab9839f59017acf9a016ad7be6edf5cf27d475cc2f84eaca6e4f029a2836795ebdb24727f379ecdb7d3c5f8751dc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
456a849e542d6e4b931f428f2e541e3a

SHA1
cbbd63910220da8d70ec51259c50fe6f99bd19bd

SHA256
744d7a5372ec99d34948a8aaeed2c04989386af47eb1748cef738afa02d3d988

SHA512
fc4796b907b3d95b2a4fab5b868b57145b65c9f912efbbdeff2f8eec3ce79c76262944be66ef2e2342900a8734464118f6eacf1ace111a9dec6724da284085bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b24f7ea674df777b26d837e3ab421570

SHA1
9fa987bdd60b6752daa40464f8347f8373928fa1

SHA256
08ba098d3c31293e037abe80add903a5ffba49b452557643bd84c1a7fc512774

SHA512
11889324cd3660df32b768349e4cf06ec5ed1008898eef135864cc757428b89fc6e20d4d621bd83f2595e2d30b7688e6fb12af4c03f00bd4c351ea1167e4eab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a7da45d5a9fea73f2b686e339318d2b

SHA1
a45f45183f24879fc00f48c27461fb2d1a7c308c

SHA256
46aba85ac025087faceb5eeb1f5fdb8f40f1a39056f8c510c9b17a4d87107728

SHA512
38a53d81873f9635ae3db97bf50b55efb9c9317cc44a65f0a639802a19d718079e8c1bfc031a7ad0594f553997a208fd59e323aed20443f6db8ae86568be439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f56ca3ac387f7960239cc98a3c76ce7

SHA1
00e556fe27c13cde3f37f8db6a98c808849e510d

SHA256
91f8cde500391e1b3f63358d4bb59b8eed53592f29d19d8c0f0a6eb44d07b822

SHA512
ffb4168a184dc8029a6803cf3b997f046fb62b9e05a4e34ae3fc723513cd9cc7425f8343c41fc0ffed5c8b21d55dacdb1c97a88107cd925ebca9bd0b54bd396c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1206fb6e5ed9920872cd2fb23bb36512

SHA1
d8fa1ccc6d2989895c1ed53e5d1af0a4f8da1986

SHA256
cc880a586b6461126d07fca896deb706330a5765872446bdda040ef4ca12f569

SHA512
ae3dfd40fd0ea4bf342baf5c3067736b85a93459762a65a583c8403041d55fa1f33c998b7e6620bfbb5e585ee3366dad7c4b922d1966f7ea2ba9d1bb3f858b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6dcdc8d3e49af95e7e8419bdff3beb4

SHA1
2496f7c9fec20d1910b9f35f60cb048e874cbb76

SHA256
e003a1decc21b6e248adda276bdab6cc24f52a011102b068cfe9f58454647069

SHA512
3eb136ac7c3fcaa31c1b4b928af15b5a7374a8b9207c913e434d78de7c06cd3107c9b776e5e2e03264762318710526fa4a80b3f82d6c3f7d8f7404d00b560087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
5f4beff672c0f6425397eac7afe7252d

SHA1
2c07f923d7c16dbe866415ec402ae526b8bf26b1

SHA256
11ea25ab57af7cd9700cc73665e03bf620903858eecf5416b8696c729959ee33

SHA512
77caf97798b8f2dd3f6fe6b2e18de309e72bb2c429c995b7abecf3f030c54e5618aa61b556af3c098973ee4fad52c2472d88ed4635165439164cb4dd58e83475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e9a0.TMP

Filesize
538B

MD5
8d489707c1733a1d36d3234f327da10d

SHA1
a23556017e0e85f5f6fe5afe0738ecf47de948bd

SHA256
c9cda0b60816cd9ef22a6b91e07889f6ffa2c848e1ca629b8b6a4c2294f8605f

SHA512
a66bdf778669c5f885d4430471ce44af5cdb13b7eb813dea7ad4cd92d71e11130494e93361d175d8accb32fdaa18ca782a79d77e36694cb04942205883e6bb84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96cf0ee9014877d8e326e26622ac29d8

SHA1
6ccc54efb0475f4375d3615c234972d79231a277

SHA256
2364f6b832fa4a5b1dbd8f1e22d66aa56eed083dc0240519407c579f2ed25b64

SHA512
2b41e7219cb475a852ca01146da6de69cfb4de3d6dafa6e840fecfcfcc195cb30d29e9572eec91666449893e44955968ef136b6723a345d71e1e5a23e2d9c4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b9962aac88df30b1f91cded5e5fd9c3

SHA1
c2641685179af0a4c6ea9c40f393d6f0afd7b743

SHA256
b516fa792f948b2e044ad5c58439c0773cd4bae0e5bb04f25466503b38f429bc

SHA512
2e222daff3e983dcb740c85371948e3215100bf342d356f93c43529389c74d0238c01c204ba2a38e5357ecbab9f454cd1bee9dfc7a9eafc258e82ee7a6d94975

Download Submit
C:\Users\Admin\Downloads\Soundpad.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 572427.crdownload

Filesize
10.9MB

MD5
0ae4f60d72e0d1c159505500b8a08ebb

SHA1
bb352dafd3c3ebebb4414b799010fe5ebddbef44

SHA256
ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379

SHA512
88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536

Download Submit