hxxp://stemamd[.]oi[.]kl[.]io[.]lll[.]co/khyu9[.]exe

Analysis

max time kernel
146s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://stemamd.oi.kl.io.lll.co/khyu9.exe

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
416	msedge.exe
416	msedge.exe
4804	msedge.exe
4804	msedge.exe
4680	msedge.exe
4680	msedge.exe
4032	identity_helper.exe
4032	identity_helper.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 896	4804	msedge.exe	77
PID 4804 wrote to memory of 896	4804	msedge.exe	77
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 3520	4804	msedge.exe	78
PID 4804 wrote to memory of 416	4804	msedge.exe	79
PID 4804 wrote to memory of 416	4804	msedge.exe	79
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80
PID 4804 wrote to memory of 1304	4804	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://stemamd.oi.kl.io.lll.co/khyu9.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc0903cb8,0x7ffcc0903cc8,0x7ffcc0903cd8
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,11506361118364852393,10927762554437701694,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3928 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
68KB

MD5
f26bbba7e176ea7ee28bb8d1bb559e46

SHA1
04efbece4b8f5160b177211e1451a649b844b775

SHA256
e1fd5de2bdb5c05b81918158dd6f841338028f72ceee214de7c67813ed2a8155

SHA512
c23a748d54d6829127e50a912a0af1f8e9e611bb919a972697a0e71ba812843dc51642f4d72dfae6b6cfdbc65503828456a7773338e1fa83a2d88f889741fd45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
7KB

MD5
6c79577e453470a95853f8a8d25b23f8

SHA1
655a35357bba88f311ffaae3edc4d52e0801d8dc

SHA256
ca9bef9ed1c6b0f13d0bb4c14f7ce4f28e54e78257e1469af9acdc51ce7b76c3

SHA512
9e197e956e2444fbf05b99edad93f33ab3befa17cb8276003b43c1637dd2440ce6147b2660c8a52b56e8813593eddae5900c3cc792fcbfa4c85e8587955ccac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4838673b0fbf1079fa3b33dbba5cd3ee

SHA1
3b053f50cc200622603710ac751532323fe5ec91

SHA256
56d9ea5f2d49469c77e92d0e44dd3c58b988d4480b49626a297eef524fd68dc5

SHA512
7300d54d9ba4e68e13f56e3b9532ba101bf9cda60ef7e4ff28ff3d628c98eaaf3d401515310adf352a841fcfa84deb9f40e401ff39bb8f7c29d122810a4c4b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
333c18be487d343b9eb3f271e9e95d01

SHA1
ad11812f4ceb96f7aded5ae0928e7bf84198ad57

SHA256
d9e3021465b0946df0eea41106f9a2ee6d62c36c1244b32e5b342ef30c91f860

SHA512
c9095a823422239adc0fe2634449d189ddce2ad2ec6d0360304a59d7d721cf251de708f2b3615cc720b234a6b2b7b9e18a8fe6e0b8139380e3d14710a834b79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
7f2e55a28ca541471fc7e4bae99e58ce

SHA1
0e55f11e9856bf2610755075457b78373b2d37a5

SHA256
ecdbbb32af0c272b95a39fb8ee75993c03b4eb717a2a6549a7099dd1c215552e

SHA512
0a72dabfb85fda3b73a56807d4f97436c184b1b2d9f20c92b56e5bedd2fc33f2dd9ee8eb8d221cfc192921d7ed2fabb671d825fcab723bd93cd686e83eee4674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ed41bf45b8f7dfaf4a8800e3eb8a791e

SHA1
10c6130607e9251f5422437b8e256f8fde8f3f1e

SHA256
294e789d94219ad6a3e03b67036c8fcc7f6c92d02733812ca220cecb202757af

SHA512
b51c137de2066ae4e023a1d7340f257a96b02ea5b25c7507cef88e9f5deea6251ed43d85d6f7c2786b8e10f7034f714e749ff3de925cac03f1405d873b4fa8c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5b8276a5a48c88d85e087bb7c6894e2c

SHA1
9fb840ef638ee533fe9f31731849cb91d7de3541

SHA256
d71f166b0e4975b1adca051c369f5d088a01d9c2662027476c6c739c675d8cce

SHA512
86310c98aabed9f4cc97a137563cee12ca75799a710b7a7423ea448e32ab3c5c4b4a9db0b790a895fa21084c09fb68f1b35328e70a22ef9923683ae549a4350f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed9acf1c90ef5d329f863b1e541546be

SHA1
5a89654d9063b453218a713c80ea162bae52fdc8

SHA256
54dfe48e9f7934a3550bf3720744161672f51b4028267ced78641f0a46135b85

SHA512
fa8bfdfd930131513818488b4b1dfe4fc3ded57924edbb3af4cd80ca53462ae68ec1c17ee5cb0f632c1a90fd3f44b6ad8f456fd535ba73f3ca3eb6960d623d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
794a755e8cb4aa5bbd6b041f88ae9d8a

SHA1
33c68529e60bd62925c315dbf875ed1674226869

SHA256
54198250f8a2adf0ab6204527f21b7bf5fd942f0edf4bd75a9cd28ad45181e4c

SHA512
7371a64621592c8a68c314603f910b68b272cf96e981b56dcf9048be4630c3e53f74d69a3212bada70212b7570f8ddf92f0131a432f8b81ba92100b3fb64115a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
930ba2bbd6b42c624ba7499cace47785

SHA1
92db0ea4a1354b5f6700c52791d66ef3175a1dbc

SHA256
2f5977c3862f61e64ca25c3c5c585926b1c48c5252d64195464a9b643a256929

SHA512
4035118e04b975d4ffb416868574601fa049d66eaed5546ebd7bfae5e2e7fcca455e6bf10b7f478ae7ddd3c350ecee066de23d0816d021cbd00a7cc24ac6adf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f3fa90b8fe7f353d68a0ff3233dc8535

SHA1
1721d8dbec4ae8aec790feb759a97e9f7033c332

SHA256
d81f275a78c5ca6d64cb2b0d6819c6071ab2dc3aeab22fd76a04746dafd72bdb

SHA512
06f70df46e9f2ee98a0f2cc5f612320ec8ecaca461a9dc52869f2e905872563bf3f26d05815301770a10667346be3e3722139785ef691ecfdcc1876f0172c4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8c398ffffd2e0bdf0a15bc2fa6698432

SHA1
80fa2eae270740d7e2ce4d866361439608b0bbc5

SHA256
bc8f380e7ed823c065d9bb489c9ee22e8976b90343ae67a40aa13ec16bee2e6a

SHA512
54547bc253e1984998a2eee013a2d1d0ec39a8e02b27f1b2473814c1f0f860ff81fa8ab190fe02c526029011498dd33e9afd370c2827ac40bdcc3f44162aa4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595440.TMP

Filesize
874B

MD5
7d377727039b60255c2167fca734ff25

SHA1
fd6d8a5269fdfd733177656424992ba0f0be5084

SHA256
1d9c6e871933ab963b3d289c92772ba1209d0f42f5b63c065a41fd240b8b021f

SHA512
fb5db14535df5c1cbbf860adad3f1cbc9956bcb90ea352f9381c86bad8bc60f4b9f863b442bd15bb1d4e00d568de929d66259737d574039bf29b5569799b39e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
56409104c4a4a4a9c18fc27203e85a63

SHA1
1f3cf226c8de20153ac3df43ac9aa6049afd7657

SHA256
441e0997a50ca1191cb20692b05ae4d584ad83b9d7fa7d5cfbde098f302b9b3e

SHA512
be305231120e38bfe2396e8437d5956c099c90526b2da257888d21d60f84ec8cfba498b8a1310f90db3a364fa9873c84a71d39ecadea9681d5377232b30f9398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c48b28e7886c1e0624f5123be3f97b4e

SHA1
e872b587cf2357bb222356d59babdfdeae05720c

SHA256
2d617d920c00dc7144a6f3a519cb38782f3b25a19e335b2a7b12136fc28d6a1b

SHA512
cf4fe41ddc781b9c4d5f726aed5c6710dcd823e5a5557b9aa1981d39c51007d9e3204bedfee77d67c4bf6b475548767134a5bfb3f15895be18cf26d4d1b71adb

Download Submit